When configuring client ip to take form the header using com.sun.identity.authentication.client.ipAddressHeader=X-Forwarded-For ,
some of the audit logs show multiple IPs. The issue is that client-ip field in the CVS should be an IP and not the full list of IPs (from XFF)
Some of the access URL (like /json/authenticate) works but the CREST side logs this bad client-ip.
- Add com.sun.identity.authentication.client.ipAddressHeader=X-Forwarded-For to the Server default Advance properties
- Now do a REST json authenticate (using curl) to /json/authenticate
- Check the access.csv and see
- Notice the client.ip field is fine with value "188.8.131.52"
- Now access using the above obtained SSOToken
and check the logs:
Notice the client.ip is is the same as X-forwarded-for
When logging goes to some audit system, the extra long client-ip from XFF may cause AM audit system failure and the event may not be audited.
Need to do same filtering as previous work