After upgrading Artifactory from 5.4.6 to 5.6 our Crowd users weren't able to login. Local users still work.
The log states:
2017-11-22 07:45:44,711 [http-nio-8080-exec-6] [DEBUG] (o.a.s.SecurityServiceImpl:1047) - Ensuring that user XXX should not be blocked
2017-11-22 07:45:44,711 [http-nio-8080-exec-6] [DEBUG] (o.a.s.SecurityServiceImpl:1716) - Updating access details for user XXX, time=1511333144711, ip=xxx.xx.xx.xx
2017-11-22 07:45:44,787 [http-nio-8080-exec-6] [DEBUG] (o.a.a.s.CrowdHttpAuthenticator:240) - Crowd token key: 'crowd.token_key', domain: '.mydomain.com', isSecure: 'false'
2017-11-22 07:45:44,787 [http-nio-8080-exec-6] [ERROR] (o.a.a.s.SsoAddonImpl:245) - Unable to authenticate with Atlassian crowd: An invalid domain [.mydomain.com] was specified for this cookie
2017-11-22 07:45:44,793 [http-nio-8080-exec-6] [DEBUG] (o.a.a.s.SsoAddonImpl:249) - Unable to authenticate user XXX with Atlassian crowd
java.lang.IllegalArgumentException: An invalid domain [.mydomain.com] was specified for this cookie
Our network setup is the following:
- our internal domain is called .internaldomain.com, so the host is artifactory.internaldomain.com
- Our firewall rewrites from external to internal so, artifactory.mydomain.com is rewritten to artifactory.internaldomain.com
- Same goes for Crowd
In crowd we added the host for the interal domain as well as the external domain to be sure.
We suspect this is an Artifactory bug because everything worked fine on 5.4.6.
1. Setup a crowd instance where the cookie will contain a '.', for example '.myexample.com'
2. Try logging in
3. Notice this reproduces in 5.6 but not in previous versions
NOTE: Certain Crowd servers require the '.'