Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-5141

Error logging into Crowd, when the SSO domain starts with a dot ('.')

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Low
    • 3.2.1
    • 3.2.0
    • None

    Description

      Summary

      After upgrading Crowd to version 3.2.x, users can't log into Crowd console. The following error can be found in the atlassian-crowd.log:

      2020-02-30 00:00:00,000 http-nio-8095-exec-7 ERROR [crowd.integration.springsecurity.AbstractCrowdSSOAuthenticationProcessingFilter] Unable to set Crowd SSO token
java.lang.IllegalArgumentException: An invalid domain [.example.com] was specified for this cookie
	at org.apache.tomcat.util.http.Rfc6265CookieProcessor.validateDomain(Rfc6265CookieProcessor.java:203)
	at org.apache.tomcat.util.http.Rfc6265CookieProcessor.generateHeader(Rfc6265CookieProcessor.java:145)
	at org.apache.catalina.connector.Response.generateCookieString(Response.java:1019)
...
...

      Cause

      Crowd has recently upgraded it's bundled Tomcat to version 8.5 and it's now strictly compliant with RFC6265, although according to RFC's Server Requirement Documentation (4.1.2.3. The Domain Attribute), leading dot such as in .example.com is ignored though not permitted:

      Note that a leading %x2E ("."), if present, is ignored even though that character is not permitted

      Workaround

      Remove trailing dot from the SSO domain. 

      1. You will need to access your database and get the current value of the sso domain by running following SQL: 
        select property_value from cwd_property where property_key = 'crowd' and property_name = 'domain'

        This will return a current value of SSO domain set in Crowd, for example .mydomain.com

      1. Assuming that the current value of the SSO domain is .mydomain.com (with a leading dot), update the value with the domain name and omit the leading dot as follows: 
        update cwd_property set property_value = 'mydomain.com' where property_key = 'crowd' and property_name = 'domain'

         

      The same RFC 6265 states that the user agent should ignore leading dot in the domain attribute for the Set-Cookie header and tread the value just as it would not have this leading dot:

      If the first character of the attribute-value string is %x2E ("."):

      Let cookie-domain be the attribute-value without the leading %x2E
      (".") character.

   Otherwise:

      Let cookie-domain be the entire attribute-value.

      so removing the leading dot will not break current SSO integration

      Attachments

        Issue Links

          is caused by

          Suggestion - CWD-4120 Upgrade to Tomcat 8

          • Closed

          KRAK-942 Loading...

          is cloned by

          KRAK-1337 Loading...

          Activity

            People

              mkempa Marcin Kempa
              jwaihou Jonathan Soo
              Votes:
              4 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: