Issue Descriptions
Intermittently login fails when using Crowd Authenticator
The issue might be intermittent if the X-forwarded headers have all random IP addresses between the Crowd app(AWS EC2) and ELB.
As per Crowd Documentation configuring a trusted proxy server means that Crowd will iterate through client IP address and IP addresses in the X-Forwarded-For header from right to left and pick the first IP address that is not a trusted proxy. The address is then used as the client's IP address.
If the IP address contains x.x.x.x:port, Crowd authentication fails with below error
2024-01-24 23:21:38,064 http-nio-8095-exec-4 ERROR [console.action.principal.AddPrincipal] java.net.UnknownHostException: X.X.X.X:<port>: invalid IPv6 address literal
java.lang.RuntimeException: java.net.UnknownHostException: X.X.X.X:<port>: invalid IPv6 address literal
at com.atlassian.crowd.manager.validation.XForwardedForUtil.getTrustedAddress(XForwardedForUtil.java:42)
Workaround
- If the customer is using AWS , reconfigure the AWS load balancer to exclude the port number from the header x-forwarded-for.
- This can be done by setting parameter routing.http.xff_client_port.enabled as false as described in the below documentation;
LoadBalancerAttribute
routing.http.xff_client_port.enable - Indicates whether the X-Forwarded-For header should preserve the source port that the client used to connect to the load balancer. The possible values are true and false. The default is false.
Bug
Low
KRAK-5644 You do not have permission to view this issue