Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root


1 badge earned


Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!


Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.


Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!


Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

How is the remote address in Crowd's ValidationFactor enforced?

I am currently working on implementing Crowd via Spring Security. I am using the Crowd Integration API v2.4.2 for this purpose. To enforce users are authenticated, I am using the CrowdSSOAuthenticationProcessingFilter for this matter. The authentication is unfortunately not succesful when I try it from my local machine, after some debugging I've noticed that this is caused by the enforcement of ValidationFactors.

The only ValidationFactor I have at this moment is the remote address, which is 0:0:0:0:0:0:0:1 (ipv6 loopback). I have tried to add this address to the allowed remote addresses in Crowd, as well as editing it to or another address that was already allowed in the Crowd configuration. Changing the value to an empty string does result in succes though. I can't really find out how this is enforced, maybe I'm missing some configuration. A hint in the right direction would very much be appreciated.

Sander Benschop

4 answers

1 accepted

1 vote
Answer accepted
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Jun 27, 2012

Crowd should check the ValidationFactors against those provided when the session was created. If token validation only succeeds when the empty string is passed for a remote address then that suggests that the session was created without the application passing in a remote address.

If both of these applications are under your control then you'll need to look into the difference in behaviour.

Thanks, your comment put me in the right direction. I was using a custom controller which spoke with the Crowd authentication provider to return a Crowd SSO token for the initial authentication. I did not provide it with the remote address though, which caused an inconsistency later on. :)

I am having the same issue as above but my application is coded using php and the class that is doing all the magic directed me to this page.

How can I solve this issue since the token is the same from one of our applications using crowd but my custom php application is returning Crowd SSO inconsistency: validation factors failed for token XXXXXXXXXXXXXXX - malfeasance?

Note:I dont have rights to the crowd console but only the administrator.

Joseph, I am trying to get SSO working between applications.

The CacheAwareAuthenticationManager's isAuthenticated method is called, to which the token and validation factors are passed. Subsequently the SecurityServerClientImpl's isValidToken function is invoked via an Xfire proxy. This function returns false if the remote address is something other than an empty string.

0 votes
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Jun 26, 2012

The ValidationFactor is there to ensure that a session is being used by the same end user that created it, to prevent hijack. The CrowdSSOAuthenticationprocessingFilter will populate it with the client IP address before passing the details to Crowd to ensure a match, but it shouldn't prevent creation of a session. However, if one SSO application provides a different IP address when it authenticates the session then it will fail.

Are you configuring a single application here or getting SSO working between applications? Can you provide more details about authentication failing?

Suggest an answer

Log in or Sign up to answer
AUG Leaders

Atlassian Community Events