Cookie-based Authentication - JIRA & Crowd

Rui Rodrigues
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 26, 2017

Hi There,

I've an add-on that needs to load images from JIRA Issues.

I've the image's URL but I'm having some problem related with authentication.

I've tested 2 scenarions:

  • JIRA without Crowd configured: It works.
  • JIRA with Crowd configured: It dows not work.

I'm creating a HTTP get to load the image data and I pass the cookies from the user.

Someone knows what's the root of the problem? Any suggestion?

 

Cheers,

Rui Rodrigues.

2 answers

0 votes
vincent_marx_external April 28, 2021

When you generate the SSO cookie with User / Pass, you must specify the IP address :

 

POST: API/session

->body('{"username":"' . $user . '","password":"' . $pass . '","validation-factors":{"validationFactors": [{"name": "remote_address","value": "'.$_SERVER['SERVER_ADDR'].'"}]}}')

 

POST: API/session/$token

->body('{"validationFactors": [{"name": "remote_address", "value": "'.$_SERVER['SERVER_ADDR'].'"}]}')

0 votes
Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 26, 2017

Hi Rui,

Which cookies are you passing? (you should pass JSESSIONID along with crowd.token_key and atlassian.xsrf.token)

Rui Rodrigues
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 26, 2017

Hi Bruno,

Thank you for your reply.

I'm passing all cookies from user.

Should I pass only those cookies you've mentioned?

Thank you.

Cheers,

Rui Rodrigues

Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 26, 2017

Well, you might give it a try but no I don't think so. As long as these three ones are there, that should work.

Maybe you should try to set the log level of the com.atlassian.crowd package to DEBUG in Jira's administration UI (Administration > Logging and profiling > Default Loggers > Configure logging level for another package). My guess is that there might be something wrong with the Crowd SSO cookie if it is ever sent.

Rui Rodrigues
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 27, 2017

Hi Bruno,

I've enabled the Debug level for crow package. And the following log was written:

2017-06-27 09:47:04,620 http-nio-8080-exec-10 DEBUG anonymous 587x766x2 13ad8rg 127.0.0.1 /activity [c.a.c.i.rest.service.RestExecutor] Constructed http://localhost:8095/crowd/rest/usermanagement/1/config/cookie
2017-06-27 09:47:04,620 http-nio-8080-exec-10 DEBUG anonymous 587x766x2 13ad8rg 127.0.0.1 /activity [c.a.c.i.rest.service.RestExecutor] Cache response for GET http://localhost:8095/crowd/rest/usermanagement/1/config/cookie was CACHE_HIT
2017-06-27 09:47:04,644 http-nio-8080-exec-10 DEBUG anonymous 587x766x2 13ad8rg 127.0.0.1 /activity [c.a.c.i.http.util.CrowdHttpTokenHelperImpl] Checking for a SSO token that will need to be verified by Crowd.
2017-06-27 09:47:04,644 http-nio-8080-exec-10 DEBUG anonymous 587x766x2 13ad8rg 127.0.0.1 /activity [c.a.c.i.http.util.CrowdHttpTokenHelperImpl] No request attribute token could be found, now checking the browser submitted cookies.
2017-06-27 09:47:04,644 http-nio-8080-exec-10 DEBUG anonymous 587x766x2 13ad8rg 127.0.0.1 /activity [c.a.c.i.http.util.CrowdHttpTokenHelperImpl] Cookie name/value: atlassian.xsrf.token / BDGX-YF4H-C5YM-KFUZ|466099069612a44f0bd687303876eff41f154092|lin
2017-06-27 09:47:04,644 http-nio-8080-exec-10 DEBUG anonymous 587x766x2 13ad8rg 127.0.0.1 /activity [c.a.c.i.http.util.CrowdHttpTokenHelperImpl] Cookie name/value: JSESSIONID / 217594868635F307A39271A02C9D1302
2017-06-27 09:47:04,644 http-nio-8080-exec-10 DEBUG anonymous 587x766x2 13ad8rg 127.0.0.1 /activity [c.a.c.i.http.util.CrowdHttpTokenHelperImpl] Cookie name/value: crowd.token_key / Gq2uNoWAhA0FSW0jsFBRhw00
2017-06-27 09:47:04,644 http-nio-8080-exec-10 DEBUG anonymous 587x766x2 13ad8rg 127.0.0.1 /activity [c.a.c.i.http.util.CrowdHttpTokenHelperImpl] Accepting the SSO cookie value: Gq2uNoWAhA0FSW0jsFBRhw00
2017-06-27 09:47:04,644 http-nio-8080-exec-10 DEBUG anonymous 587x766x2 13ad8rg 127.0.0.1 /activity [c.a.c.i.http.util.CrowdHttpTokenHelperImpl] Existing token value yet to be verified by Crowd: Gq2uNoWAhA0FSW0jsFBRhw00
2017-06-27 09:47:04,644 http-nio-8080-exec-10 DEBUG anonymous 587x766x2 13ad8rg 127.0.0.1 /activity [c.a.c.i.rest.service.RestExecutor] Constructed http://localhost:8095/crowd/rest/usermanagement/1/session/Gq2uNoWAhA0FSW0jsFBRhw00
2017-06-27 09:47:04,649 http-nio-8080-exec-10 DEBUG anonymous 587x766x2 13ad8rg 127.0.0.1 /activity [c.a.c.i.rest.service.RestExecutor] Cache response for POST http://localhost:8095/crowd/rest/usermanagement/1/session/Gq2uNoWAhA0FSW0jsFBRhw00 was CACHE_MISS
2017-06-27 09:47:04,653 http-nio-8080-exec-10 DEBUG anonymous 587x766x2 13ad8rg 127.0.0.1 /activity [c.a.c.integration.http.CrowdHttpAuthenticator] Token doesn't match the existing token.
com.atlassian.crowd.exception.InvalidTokenException: Token doesn't match the existing token.
 at com.atlassian.crowd.integration.rest.service.RestCrowdClient.handleInvalidSsoToken(RestCrowdClient.java:1517)
 at com.atlassian.crowd.integration.rest.service.RestCrowdClient.validateSSOAuthenticationAndGetSession(RestCrowdClient.java:1150)
 at com.atlassian.crowd.integration.http.CrowdHttpAuthenticatorImpl.checkAuthenticated(CrowdHttpAuthenticatorImpl.java:155)
 at com.atlassian.crowd.integration.http.CacheAwareCrowdHttpAuthenticator.checkAuthenticated(CacheAwareCrowdHttpAuthenticator.java:82)
 at com.atlassian.crowd.integration.seraph.CrowdAuthenticator.checkAuthenticated(CrowdAuthenticator.java:271)
 at com.atlassian.crowd.integration.seraph.CrowdAuthenticator.getUser(CrowdAuthenticator.java:429)
 at com.atlassian.jira.security.login.SSOSeraphAuthenticator.getUser(SSOSeraphAuthenticator.java:63)
 at com.atlassian.seraph.filter.SecurityFilter.doFilter(SecurityFilter.java:139)
 at com.atlassian.jira.security.JiraSecurityFilter.doFilter(JiraSecurityFilter.java:78)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
 at com.atlassian.security.auth.trustedapps.filter.TrustedApplicationsFilter.doFilter(TrustedApplicationsFilter.java:103)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
 at com.atlassian.seraph.filter.BaseLoginFilter.doFilter(BaseLoginFilter.java:148)
 at com.atlassian.jira.web.filters.JiraLoginFilter.doFilter(JiraLoginFilter.java:77)
 at com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:32)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
 at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:39)
 at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:58)
 at com.atlassian.oauth.serviceprovider.internal.servlet.OAuthFilter.doFilter(OAuthFilter.java:67)
 at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:64)
 at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:37)
 at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:58)
 at com.atlassian.prettyurls.filter.PrettyUrlsCombinedMatchDispatcherFilter.doFilter(PrettyUrlsCombinedMatchDispatcherFilter.java:56)
 at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:64)
 at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:37)
 at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:70)
 at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:58)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
 at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:176)
 at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145)
 at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92)
 at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:394)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
 at com.atlassian.jira.servermetrics.CorrelationIdPopulatorFilter.doFilter(CorrelationIdPopulatorFilter.java:30)
 at com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:32)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
 at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:39)
 at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:58)
 at com.atlassian.servicedesk.internal.web.CustomerContextSettingFilter.lambda$invokeFilterChain$0(CustomerContextSettingFilter.java:181)
 at com.atlassian.servicedesk.internal.utils.context.ReentrantThreadLocalBasedCodeContext.rteInvoke(ReentrantThreadLocalBasedCodeContext.java:134)
 at com.atlassian.servicedesk.internal.utils.context.ReentrantThreadLocalBasedCodeContext.runOutOfContext(ReentrantThreadLocalBasedCodeContext.java:87)
 at com.atlassian.servicedesk.internal.utils.context.CustomerContextServiceImpl.runOutOfCustomerContext(CustomerContextServiceImpl.java:64)
 at com.atlassian.servicedesk.internal.web.CustomerContextSettingFilter.outOfCustomerContext(CustomerContextSettingFilter.java:174)
 at com.atlassian.servicedesk.internal.web.CustomerContextSettingFilter.doFilterImpl(CustomerContextSettingFilter.java:130)
 at com.atlassian.servicedesk.internal.web.CustomerContextSettingFilter.doFilter(CustomerContextSettingFilter.java:121)
 at com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:32)
 at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:64)
 at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:37)
 at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:58)
 at com.atlassian.jwt.internal.servlet.JwtAuthFilter.doFilter(JwtAuthFilter.java:32)
 at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:64)
 at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:37)
 at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:58)
 at com.atlassian.analytics.client.filter.JiraAnalyticsFilter.doFilter(JiraAnalyticsFilter.java:42)
 at com.atlassian.analytics.client.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:39)
 at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:64)
 at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:37)
 at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:58)
 at com.atlassian.web.servlet.plugin.request.RedirectInterceptingFilter.doFilter(RedirectInterceptingFilter.java:21)
 at com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:32)
 at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:64)
 at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:37)
 at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:58)
 at com.atlassian.web.servlet.plugin.LocationCleanerFilter.doFilter(LocationCleanerFilter.java:36)
 at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:64)
 at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:37)
 at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:58)
 at com.atlassian.prettyurls.filter.PrettyUrlsCombinedMatchDispatcherFilter.doFilter(PrettyUrlsCombinedMatchDispatcherFilter.java:56)
 at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:64)
 at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:37)
 at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:70)
 at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:58)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
 at com.atlassian.jira.web.filters.steps.ChainedFilterStepRunner.doFilter(ChainedFilterStepRunner.java:74)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
 at com.atlassian.core.filters.cache.AbstractCachingFilter.doFilter(AbstractCachingFilter.java:31)
 at com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:32)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
 at com.atlassian.core.filters.encoding.AbstractEncodingFilter.doFilter(AbstractEncodingFilter.java:39)
 at com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:32)
 at com.atlassian.jira.web.filters.PathMatchingEncodingFilter.doFilter(PathMatchingEncodingFilter.java:41)
 at com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:32)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
 at com.atlassian.jira.startup.JiraStartupChecklistFilter.doFilter(JiraStartupChecklistFilter.java:72)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
 at com.atlassian.jira.web.filters.MultipartBoundaryCheckFilter.doFilter(MultipartBoundaryCheckFilter.java:36)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
 at com.atlassian.jira.servermetrics.MetricsCollectorFilter.doFilter(MetricsCollectorFilter.java:25)
 at com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:32)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
 at com.atlassian.jira.web.filters.steps.ChainedFilterStepRunner.doFilter(ChainedFilterStepRunner.java:74)
 at com.atlassian.jira.web.filters.JiraFirstFilter.doFilter(JiraFirstFilter.java:59)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
 at com.atlassian.gzipfilter.GzipFilter.doFilterInternal(GzipFilter.java:121)
 at com.atlassian.gzipfilter.GzipFilter.doFilter(GzipFilter.java:92)
 at com.atlassian.jira.web.filters.gzip.JiraGzipFilter.doFilter(JiraGzipFilter.java:44)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
 at com.atlassian.jira.web.filters.InstantUpgradeHoldingFilter.doFilter(InstantUpgradeHoldingFilter.java:99)
 at com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:32)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
 at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
 at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:108)
 at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
 at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
 at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
 at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
 at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:349)
 at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:784)
 at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
 at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:802)
 at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1410)
 at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
 at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
 at java.lang.Thread.run(Thread.java:748)

I've modified the code to send the 3 cokkkies suggedted by you.

I think there is a problem authenticating the user.

What's your opinion?

 

Cheers,

Rui Rodrigues

Rui Rodrigues
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 27, 2017

Hi Bruno,

It work's if the user check the remember me option.

It should work with the 3 cokkies mentioned by you, I think so.

Thanks.

Cheers,

Rui Rodrigues.

Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 27, 2017

Hi Rui,

Are you doing your HTTP request from another IP address than the one that initially obtained the Crowd SSO cookie? Remote IP address (and X-Forwarded-For header if you send your request through a proxy or reverse-proxy) is actually a validation factor for Crowd SSO cookies.

Rui Rodrigues
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 27, 2017

Hi Bruno,

I'm doing the HTTP request from JIRA add-on.

JIRA is running behind a reverse-proxy.

Should I send something else on headers?

Thanks.

Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 27, 2017

What's sending the HTTP request? Some JavaScript code in your browser? Or some Java code running server-side? (in which case you must add your server IP address to the list of trusted proxy servers: https://confluence.atlassian.com/crowd/configuring-trusted-proxy-servers-158107219.html)

Rui Rodrigues
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 27, 2017

Hi Bruno,

The HTTP request is being made from Java code (add-on).

So, do I need to add the host ip to the Trust Proxy Servers?

Thanks.

 

Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 27, 2017

That's right. So far your Crowd cookie is not validated because the component that is sending it (your server) has not the same IP adress as the one that initially obtained it (your browser).

Rui Rodrigues
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 28, 2017

Hi Bruno,

I've configured the Trust Proxy but without success.

JIRA and Crowd are running in the same machine, in this case, in my local machine.

Do you have more sugestions?

 

Cheers,

Rui Rodrigues.

Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 28, 2017

Go to Crowd administration console > Logging & profiling and set the log level of com.atlassian.crowd.manager.token to ALL

You'll get details in Crowd's logs about the validation factors used to validate your token and hopefully why it fails, e.g.

2017-06-28 14:14:35,652 http-bio-8095-exec-4 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Generating Token for principal: bruno.vincent
2017-06-28 14:14:35,653 http-bio-8095-exec-4 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Adding remote address of 10.211.55.2
2017-06-28 14:14:35,653 http-bio-8095-exec-4 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Adding Random-Number of ValidationFactor[Random-Number=532896644233653654]
Rui Rodrigues
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 28, 2017

Log messages:

 

7-06-28 19:57:29,787 http-bio-8095-exec-18 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] Current Validation Factors: 

2017-06-28 19:57:29,787 http-bio-8095-exec-18 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] comparing existing token Token{identifierHash='u489Iq0t0xJ3DKsvkNdMcQ00', lastAccessedTime=1498676249749, createdDate=2017-06-28 19:57:03.64, duration=60, name='crowd', directoryId=-1} with a validation token Token{identifierHash='u489Iq0t0xJ3DKsvkNdMcQ00', lastAccessedTime=1498676249787, createdDate=Wed Jun 28 19:57:29 WEST 2017, duration=60, name='crowd', directoryId=-1}
2017-06-28 19:57:29,787 http-bio-8095-exec-18 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] returning validated token, with updated last accessed time
2017-06-28 19:57:29,789 http-bio-8095-exec-18 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] validateUserToken: dH2Q2BlR9Er3tAH1fQR1YA00
2017-06-28 19:57:29,789 http-bio-8095-exec-18 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] genericValidateToken
2017-06-28 19:57:29,790 http-bio-8095-exec-18 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] checking if the token is expired:
2017-06-28 19:57:29,790 http-bio-8095-exec-18 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager]  now:    Wed Jun 28 19:57:29 WEST 2017
2017-06-28 19:57:29,790 http-bio-8095-exec-18 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager]  last accessed:  Wed Jun 28 19:57:29 WEST 2017
2017-06-28 19:57:29,790 http-bio-8095-exec-18 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager]  expiry time:  Wed Jun 28 20:27:29 WEST 2017
2017-06-28 19:57:29,790 http-bio-8095-exec-18 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager]  allowed session time (seconds): 1800
2017-06-28 19:57:29,790 http-bio-8095-exec-18 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Generating Token for principal: rmbr
2017-06-28 19:57:29,790 http-bio-8095-exec-18 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Adding remote address of 0:0:0:0:0:0:0:1
2017-06-28 19:57:29,790 http-bio-8095-exec-18 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Generating Token for principal: rmbr
2017-06-28 19:57:29,790 http-bio-8095-exec-18 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Adding remote address of 0:0:0:0:0:0:0:1
2017-06-28 19:57:29,790 http-bio-8095-exec-18 DEBUG [manager.token.factory.TokenKeyGeneratorImpl] Adding Random-Number of ValidationFactor[Random-Number=3773613000060299932]
2017-06-28 19:57:29,790 http-bio-8095-exec-18 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] Current Validation Factors: 
ValidationFactor[remote_address=0:0:0:0:0:0:0:1]
2017-06-28 19:57:29,790 http-bio-8095-exec-18 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] comparing existing token Token{identifierHash='RmdmWH3GfPX43a90OVdMPw00', lastAccessedTime=1498676249698, createdDate=2017-06-28 19:52:45.278, duration=null, name='rmbr', directoryId=98305} with a validation token Token{identifierHash='RmdmWH3GfPX43a90OVdMPw00', lastAccessedTime=1498676249790, createdDate=Wed Jun 28 19:57:29 WEST 2017, duration=null, name='rmbr', directoryId=98305}
2017-06-28 19:57:29,790 http-bio-8095-exec-18 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] returning validated token, with updated last accessed time
2017-06-28 19:57:29,790 http-bio-8095-exec-18 DEBUG [crowd.manager.token.RecoveryModeAwareTokenAuthenticationManager] user has access to the application <crowd>

 My username: rmbr.

 

IP 127.0.0.1 is configured on Trusted proxy servers.

Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 28, 2017

Did you add the IPv6 address to Trusted proxy servers as well (0:0:0:0:0:0:0:1)? 

Rui Rodrigues
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
July 13, 2017

Hi Bruno,

Sorry for the late reply.

See my trusted servers below.

Screen Shot 2017-07-13 at 12.36.23.png

It's being hard to figure out the problem.

Many thank you for your help.

Cheers,

Rui Rodrigues.

Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
July 13, 2017

Hi Rui,

What if you uncheck 'Require Consistent Client IP address' in Crowd? https://confluence.atlassian.com/crowd/session-configuration-17956967.html

Rui Rodrigues
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
July 13, 2017

Hi Bruno,

It's works.

This means that the ip I've defined does not match with the correct ip, rigth?

Thank you.

Bruno Vincent
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
July 13, 2017

Well, thinking about it again, adding your server IP address to the trusted proxy servers won't change anything. Sorry for the false track.

In the end, from Crowd's perspective the Crowd SSO cookie was initially created with your browser's IP address as a validation factor. Since your plugin uses your server IP address, the cookie validation will always fail unless you uncheck the 'Require Consistent Client IP address' option in Crowd.

Suggest an answer

Log in or Sign up to answer