Uploaded image for project: 'Crowd'
  1. Crowd
  2. CWD-5141

Error logging into Crowd, when the SSO domain starts with a dot ('.')

    XMLWordPrintable

Details

    Description

      Summary

      After upgrading Crowd to version 3.2.x, users can't log into Crowd console. The following error can be found in the atlassian-crowd.log:

      2020-02-30 00:00:00,000 http-nio-8095-exec-7 ERROR [crowd.integration.springsecurity.AbstractCrowdSSOAuthenticationProcessingFilter] Unable to set Crowd SSO token
      java.lang.IllegalArgumentException: An invalid domain [.example.com] was specified for this cookie
      	at org.apache.tomcat.util.http.Rfc6265CookieProcessor.validateDomain(Rfc6265CookieProcessor.java:203)
      	at org.apache.tomcat.util.http.Rfc6265CookieProcessor.generateHeader(Rfc6265CookieProcessor.java:145)
      	at org.apache.catalina.connector.Response.generateCookieString(Response.java:1019)
      ...
      ...
      

      Cause

      Crowd has recently upgraded it's bundled Tomcat to version 8.5 and it's now strictly compliant with RFC6265, although according to RFC's Server Requirement Documentation (4.1.2.3. The Domain Attribute), leading dot such as in .example.com is ignored though not permitted:

      Note that a leading %x2E ("."), if present, is ignored even though that character is not permitted
      

      Workaround

      Remove trailing dot from the SSO domain. 

      1. You will need to access your database and get the current value of the sso domain by running following SQL:
        select property_value from cwd_property where property_key = 'crowd' and property_name = 'domain'
        

        This will return a current value of SSO domain set in Crowd, for example .mydomain.com

      1. Assuming that the current value of the SSO domain is .mydomain.com (with a leading dot), update the value with the domain name and omit the leading dot as follows:
        update cwd_property set property_value = 'mydomain.com' where property_key = 'crowd' and property_name = 'domain'
        

         

      The same RFC 6265 states that the user agent should ignore leading dot in the domain attribute for the Set-Cookie header and tread the value just as it would not have this leading dot:

      If the first character of the attribute-value string is %x2E ("."):
      
            Let cookie-domain be the attribute-value without the leading %x2E
            (".") character.
      
         Otherwise:
      
            Let cookie-domain be the entire attribute-value.
      

      so removing the leading dot will not break current SSO integration

      Attachments

        Issue Links

          Activity

            People

              mkempa Marcin Kempa
              jwaihou Jonathan Soo
              Votes:
              4 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: