Crowd login fails when running two Crowd instances on the same domain
プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Fisheye および Crucible は除く
問題
It is always a good practice to have a Production environment as well a Test/Staging/Dev environment. If you happen to have two Crowd instances running in the same domain crowd.example.com and crowd-dev.example.com you might notice that you are able to login to one instance but not the other.
The symptom of the issue will be that you login to Crowd Production and everything looks good, then you try to login to Crowd Dev and it keeps on redirecting back to the login page.
診断
環境
- Crowd Production:
crowd.example.com - Crowd Dev:
crowd-dev.example.com
Diagnostic Steps
In order to investigate the issue, you will need to look at the following:
- HAR file to check whether the request is reaching the server or not
- Next step, double check in the response from the login action that you are getting a
JSESSIONIDandcrowd.token.keycookie - Try to login with wrong credentials and you should get an error Invalid Login this will verify that you are able to access the server and that Crowd server is working as intended
Enable DEBUG Logging on Crowd
Please note that this logging is super noisy and it will quickly fill up your log files. Make sure to disable that once you identify the issue
In the logs, you will notice the following cookies being sent by the browser:2017-11-08 13:49:45,544 http-bio-8095-exec-7 DEBUG [integration.http.util.CrowdHttpTokenHelperImpl] Cookie name/value: JSESSIONID / 28A6DF056DF1DBD3336BBA69DEBFBCBF 2017-11-08 13:49:45,544 http-bio-8095-exec-7 DEBUG [integration.http.util.CrowdHttpTokenHelperImpl] Cookie name/value: crowd.token_key / DTMlYimNr0HHwyI8p0xmyA00 2017-11-08 13:49:45,544 http-bio-8095-exec-7 DEBUG [integration.http.util.CrowdHttpTokenHelperImpl] Cookie name/value: crowd.token_key / nA6uRsJ4Li63eeb64atVDg00 2017-11-08 13:49:45,544 http-bio-8095-exec-7 DEBUG [integration.http.util.CrowdHttpTokenHelperImpl] Cookie name/value: AWSALB / /eldlBkVmsHOtghOKOrvFAN6nObMEBCji2dXBvWo7EVY2P6e6lo1aj9yef4IEvP5XVdrqwC1480b+n3v9uutkmTL6ixPmeCKG2dBY5XcaZT6wQLMr/c8TLe/CKWD
原因
As you can see the above logs show that you have two crowd.token_key cookies in your browser. The browser, in this case, will get confused as to which cookie to select since both Production and Dev instance belong to the domain example.com and that causes the redirection to the login page on the Dev instance
ソリューション
You can resolve this problem using one of the below suggestions:
Resolution 1 - Change the crowd token cookie name
Since we have a duplicate cookie name belonging to the same domain, we will need to specify a different crowd token cookie for the Dev instance. To do that, please follow the below steps:
- Log in to the Dev instance using the IP and port http://1.2.3.4:8095/crowd
- Go to Settings -> General
- Change the SSO Cookie name from the default value
crowd.token_keytocrowd_dev.token_keyor any other name that is different than the Production instance - Update the settings
- You should be able to login successfully to both Production and Dev instances without any problems
Resolution 2 - Move Dev instance to a different domain
You can also change the Crowd Dev domain to something other than example.com in order to avoid this issue. You could configure it to crowd.dev.example.com and that would not confuse the browser as the Crowd Dev domain is not dev.example.com