Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-5141

Error logging into Crowd, when the SSO domain starts with a dot ('.')

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Low Low
    • 3.2.1
    • 3.2.0
    • None

      Summary

      After upgrading Crowd to version 3.2.x, users can't log into Crowd console. The following error can be found in the atlassian-crowd.log:

      2020-02-30 00:00:00,000 http-nio-8095-exec-7 ERROR [crowd.integration.springsecurity.AbstractCrowdSSOAuthenticationProcessingFilter] Unable to set Crowd SSO token
      java.lang.IllegalArgumentException: An invalid domain [.example.com] was specified for this cookie
      	at org.apache.tomcat.util.http.Rfc6265CookieProcessor.validateDomain(Rfc6265CookieProcessor.java:203)
      	at org.apache.tomcat.util.http.Rfc6265CookieProcessor.generateHeader(Rfc6265CookieProcessor.java:145)
      	at org.apache.catalina.connector.Response.generateCookieString(Response.java:1019)
      ...
      ...
      

      Cause

      Crowd has recently upgraded it's bundled Tomcat to version 8.5 and it's now strictly compliant with RFC6265, although according to RFC's Server Requirement Documentation (4.1.2.3. The Domain Attribute), leading dot such as in .example.com is ignored though not permitted:

      Note that a leading %x2E ("."), if present, is ignored even though that character is not permitted
      

      Workaround

      Remove trailing dot from the SSO domain. 

      1. You will need to access your database and get the current value of the sso domain by running following SQL:
        select property_value from cwd_property where property_key = 'crowd' and property_name = 'domain'
        

        This will return a current value of SSO domain set in Crowd, for example .mydomain.com

      1. Assuming that the current value of the SSO domain is .mydomain.com (with a leading dot), update the value with the domain name and omit the leading dot as follows:
        update cwd_property set property_value = 'mydomain.com' where property_key = 'crowd' and property_name = 'domain'
        

         

      The same RFC 6265 states that the user agent should ignore leading dot in the domain attribute for the Set-Cookie header and tread the value just as it would not have this leading dot:

      If the first character of the attribute-value string is %x2E ("."):
      
            Let cookie-domain be the attribute-value without the leading %x2E
            (".") character.
      
         Otherwise:
      
            Let cookie-domain be the entire attribute-value.
      

      so removing the leading dot will not break current SSO integration

            [CWD-5141] Error logging into Crowd, when the SSO domain starts with a dot ('.')

            Karan Ahuja made changes -
            Remote Link Original: This issue links to "KRAK-1337 (JIRA Server)" [ 366193 ] New: This issue links to "KRAK-1337 (JIRA Server (Bulldog))" [ 366193 ]
            Monique Khairuliana (Inactive) made changes -
            Epic Link Original: CWD-4704 [ 600140 ]
            Monique Khairuliana (Inactive) made changes -
            Workflow Original: Simplified Crowd Development Workflow v2 - restricted [ 2667319 ] New: JAC Bug Workflow v3 [ 3365808 ]
            Status Original: Resolved [ 5 ] New: Closed [ 6 ]
            Owen made changes -
            Symptom Severity Original: Major [ 14431 ] New: Severity 2 - Major [ 15831 ]

            This issue was resolved in Crowd 3.2.1. The leading dot in the SSO cookie domain will be automatically removed from the configuration during upgrade process.

            Crowd Team

            Marcin Kempa added a comment - This issue was resolved in Crowd 3.2.1. The leading dot in the SSO cookie domain will be automatically removed from the configuration during upgrade process. Crowd Team
            Marcin Kempa made changes -
            Resolution New: Fixed [ 1 ]
            Status Original: In Progress [ 3 ] New: Resolved [ 5 ]
            Lukasz Pater made changes -
            Description Original: h4. Summary

            After upgrading Crowd to version 3.2.x, users can't log into Crowd console. The following error can be found in the {{atlassian-crowd.log}}:
            {code:java}
            2020-02-30 00:00:00,000 http-nio-8095-exec-7 ERROR [crowd.integration.springsecurity.AbstractCrowdSSOAuthenticationProcessingFilter] Unable to set Crowd SSO token
            java.lang.IllegalArgumentException: An invalid domain [.example.com] was specified for this cookie
            at org.apache.tomcat.util.http.Rfc6265CookieProcessor.validateDomain(Rfc6265CookieProcessor.java:203)
            at org.apache.tomcat.util.http.Rfc6265CookieProcessor.generateHeader(Rfc6265CookieProcessor.java:145)
            at org.apache.catalina.connector.Response.generateCookieString(Response.java:1019)
            ...
            ...
            {code}
            h4. Cause

            Crowd has recently upgraded it's bundled Tomcat to version 8.5 and it's now strictly compliant with RFC6265, although according to RFC's Server Requirement Documentation (4.1.2.3. The Domain Attribute), leading dot such as in *.example.com* is ignored though not permitted:
            {code:java}
            Note that a leading %x2E ("."), if present, is ignored even though that character is not permitted
            {code}
            h4. Workaround

            Remove trailing dot from the SSO domain.

             
             # You will need to access your database and get the current value of the sso domain by running following SQL:
            {code:java}
            select property_value from cwd_property where property_key = 'crowd' and property_name = 'domain'
            {code}
            This will return a current value of SSO domain set in Crowd, for example *.mydomain.com*
             **

             # Assuming that the current value of the SSO domain is *.mydomain.com* (with a leading dot), update the value with the domain name and omit the leading dot as follows:
            {code:java}
            update cwd_property set property_value = 'mydomain.com' where property_key = 'crowd' and property_name = 'domain'
            {code}
             

            The same [RFC 6265 states|https://tools.ietf.org/html/rfc6265#section-5.2.3] that the user agent should ignore leading dot in the domain attribute for the Set-Cookie header and tread the value just as it would not have this leading dot:
            {code:java}
            If the first character of the attribute-value string is %x2E ("."):

                  Let cookie-domain be the attribute-value without the leading %x2E
                  (".") character.

               Otherwise:

                  Let cookie-domain be the entire attribute-value.
            {code}
            so removing the leading dot will not break current SSO integration
            New: h4. Summary

            After upgrading Crowd to version 3.2.x, users can't log into Crowd console. The following error can be found in the {{atlassian-crowd.log}}:
            {code:java}
            2020-02-30 00:00:00,000 http-nio-8095-exec-7 ERROR [crowd.integration.springsecurity.AbstractCrowdSSOAuthenticationProcessingFilter] Unable to set Crowd SSO token
            java.lang.IllegalArgumentException: An invalid domain [.example.com] was specified for this cookie
            at org.apache.tomcat.util.http.Rfc6265CookieProcessor.validateDomain(Rfc6265CookieProcessor.java:203)
            at org.apache.tomcat.util.http.Rfc6265CookieProcessor.generateHeader(Rfc6265CookieProcessor.java:145)
            at org.apache.catalina.connector.Response.generateCookieString(Response.java:1019)
            ...
            ...
            {code}
            h4. Cause

            Crowd has recently upgraded it's bundled Tomcat to version 8.5 and it's now strictly compliant with RFC6265, although according to RFC's Server Requirement Documentation (4.1.2.3. The Domain Attribute), leading dot such as in *.example.com* is ignored though not permitted:
            {code:java}
            Note that a leading %x2E ("."), if present, is ignored even though that character is not permitted
            {code}
            h4. Workaround

            Remove trailing dot from the SSO domain. 
             # You will need to access your database and get the current value of the sso domain by running following SQL:
            {code:java}
            select property_value from cwd_property where property_key = 'crowd' and property_name = 'domain'
            {code}
            This will return a current value of SSO domain set in Crowd, for example *.mydomain.com*

             # Assuming that the current value of the SSO domain is *.mydomain.com* (with a leading dot), update the value with the domain name and omit the leading dot as follows:
            {code:java}
            update cwd_property set property_value = 'mydomain.com' where property_key = 'crowd' and property_name = 'domain'
            {code}
             

            The same [RFC 6265 states|https://tools.ietf.org/html/rfc6265#section-5.2.3] that the user agent should ignore leading dot in the domain attribute for the Set-Cookie header and tread the value just as it would not have this leading dot:
            {code:java}
            If the first character of the attribute-value string is %x2E ("."):

                  Let cookie-domain be the attribute-value without the leading %x2E
                  (".") character.

               Otherwise:

                  Let cookie-domain be the entire attribute-value.
            {code}
            so removing the leading dot will not break current SSO integration
            Lukasz Pater made changes -
            Remote Link New: This issue links to "KRAK-1337 (JIRA Server)" [ 366193 ]

            Thanks Lukasz. We have actually faced that issue on several Jira/Confluence instances but you're right, this is our add-on's code that sets the Crowd cookie, not Atlassian's Crowd client integration libraries. Anyway, removing the leading dot has always fixed the problem.

            Bruno Vincent added a comment - Thanks Lukasz. We have actually faced that issue on several Jira/Confluence instances but you're right, this is our add-on's code that sets the Crowd cookie, not Atlassian's Crowd client integration libraries. Anyway, removing the leading dot has always fixed the problem.

            bruno.vincent@atlantis.fr as far as we are aware, this currently only affects Crowd, as other products use the previous way of setting the cookie for now.

            Lukasz Pater added a comment - bruno.vincent@atlantis.fr as far as we are aware, this currently only affects Crowd, as other products use the previous way of setting the cookie for now.

              mkempa Marcin Kempa
              jwaihou Jonathan Soo
              Affected customers:
              4 This affects my team
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: