-
Type:
Bug
-
Resolution: Fixed
-
Priority:
Medium
-
Affects Version/s: 7.1.2
-
Component/s: Installation/Setup
-
None
-
4
-
Severity 3 - Minor
-
11
Issue Summary
When Crowd Data Center is deployed behind a reverse proxy that communicates with Crowd using the AJP connector, DELETE operations against Crowd’s REST APIs fail. This impacts any functionality that relies on HTTP DELETE requests, such as removing users from directories or groups, deleting applications, or revoking tokens via API.
This occurs because Crowd never receives the intended HTTP DELETE request from the proxy. Instead, Crowd only receives an HTTP OPTIONS request for these operations, which does not trigger deletion logic in the application. As a result, administrators and integrations cannot reliably perform delete operations via Crowd’s REST APIs (e.g DELETE request from Confluence) when requests are proxied over AJP.
The issue is caused by a known bug in Tomcat 9.0.110 and 10.1.47, where DELETE requests sent through an AJP connector are incorrectly converted to OPTIONS requests before reaching the application.
Steps to Reproduce
- Deploy Crowd behind a reverse proxy using AJP
- Configure Crowd as the user directory in Confluence with READ/WRITE permission.
- Create a user in the Crowd Internal Directory.
- Sync the user directory in Confluence.
- Delete the user in Confluence.
Expected Results
An Authorized user in Confluence should be able to delete the user in Crowd.
Actual Results
The below exception is thrown in the Confluence UI and in logs.
PERMISSION_DENIED. You must log in again in order to perform this action.
Workaround
Reconfigure the proxy to forward requests to Crowd using the HTTP connector instead of the AJP connector.