-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
5.2.3
-
None
-
2
-
Severity 3 - Minor
-
2
-
Issue Descriptions
Intermittently login fails when using Crowd Authenticator
The issue might be intermittent if the X-forwarded headers have all random IP addresses between the Crowd app(AWS EC2) and ELB.
As per Crowd Documentation configuring a trusted proxy server means that Crowd will iterate through client IP address and IP addresses in the X-Forwarded-For header from right to left and pick the first IP address that is not a trusted proxy. The address is then used as the client's IP address.
If the IP address contains x.x.x.x:port, Crowd authentication fails with below error
2024-01-24 23:21:38,064 http-nio-8095-exec-4 ERROR [console.action.principal.AddPrincipal] java.net.UnknownHostException: X.X.X.X:<port>: invalid IPv6 address literal
java.lang.RuntimeException: java.net.UnknownHostException: X.X.X.X:<port>: invalid IPv6 address literal
at com.atlassian.crowd.manager.validation.XForwardedForUtil.getTrustedAddress(XForwardedForUtil.java:42)
Workaround
- If the customer is using AWS , reconfigure the AWS load balancer to exclude the port number from the header x-forwarded-for.
- This can be done by setting parameter routing.http.xff_client_port.enabled as false as described in the below documentation;
routing.http.xff_client_port.enable - Indicates whether the X-Forwarded-For header should preserve the source port that the client used to connect to the load balancer. The possible values are true and false. The default is false.
- is cloned by
-
KRAK-5644 You do not have permission to view this issue