myfaces-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Simon Kitching (JIRA)" <...@myfaces.apache.org>
Subject [jira] Commented: (MYFACES-1786) Encryption is enabled by default, causing problems if no secret is set
Date Wed, 14 Jan 2009 15:50:01 GMT

    [ https://issues.apache.org/jira/browse/MYFACES-1786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12663782#action_12663782
] 

Simon Kitching commented on MYFACES-1786:
-----------------------------------------

Oh, and possibly the code could avoid logging this exception, instead catching all javax.crypto
exceptions in StateUtils.symmetric() and instead just logging "INFO: postback could not be
decrypted; ignoring data".

> Encryption is enabled by default, causing problems if no secret is set
> ----------------------------------------------------------------------
>
>                 Key: MYFACES-1786
>                 URL: https://issues.apache.org/jira/browse/MYFACES-1786
>             Project: MyFaces Core
>          Issue Type: Bug
>          Components: General
>    Affects Versions:  1.2.0, 1.2.1-SNAPSHOT
>         Environment: Any
>            Reporter: Jon Harley
>            Priority: Minor
>
> According to the documentation of org.apache.myfaces.util.StateUtils "To enable encryption,
a secret must be provided. StateUtils looks first for the org.apache.myfaces.secret init param,
then system properties. If a secret cannot be located, encryption is not used."
> This is the correct behaviour but in fact the isSecure() method of that class includes:
> return ! "false".equals(ctx.getInitParameter(USE_ENCRYPTION));
> This enables encryption in ALL cases except where the init parameter is PRESENT and EQUAL
to "false". For example if it is absent, encryption is enabled. It looks as though a secret
is then generated.
> This causes a problem because if the web container is restarted, a new secret is generated.
Existing users who then submit any view encoded with the old secret hit an exception in the
restore view phase which looks like this, at least in my environment:
> javax.faces.FacesException: javax.crypto.BadPaddingException: Given final block not properly
padded
> 	at org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:370)
> 	at org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:408)
> 	at org.apache.myfaces.shared_impl.util.StateUtils.decrypt(StateUtils.java:288)
> 	at org.apache.myfaces.shared_impl.util.StateUtils.reconstruct(StateUtils.java:237)
> 	at org.apache.myfaces.renderkit.html.HtmlResponseStateManager.getTreeStructureToRestore(HtmlResponseStateManager.java:129)
> 	at javax.faces.render.ResponseStateManager.getState(ResponseStateManager.java:81)
> 	at org.apache.myfaces.application.jsp.JspStateManagerImpl.restoreView(JspStateManagerImpl.java:283)
> 	at org.ajax4jsf.framework.ajax.AjaxStateManager.restoreView(AjaxStateManager.java:83)
> 	at org.apache.myfaces.application.jsp.JspViewHandlerImpl.restoreView(JspViewHandlerImpl.java:354)
> 	at com.sun.facelets.FaceletViewHandler.restoreView(FaceletViewHandler.java:317)
> 	at org.ajax4jsf.framework.ViewHandlerWrapper.restoreView(ViewHandlerWrapper.java:116)
> 	at org.ajax4jsf.framework.ajax.AjaxViewHandler.restoreView(AjaxViewHandler.java:147)
> 	at org.jenia.faces.template.handler.ViewHandler.restoreView(ViewHandler.java:263)
> 	at com.sun.facelets.FaceletViewHandler.restoreView(FaceletViewHandler.java:317)
> 	at org.ajax4jsf.framework.ViewHandlerWrapper.restoreView(ViewHandlerWrapper.java:116)
> 	at org.ajax4jsf.framework.ajax.AjaxViewHandler.restoreView(AjaxViewHandler.java:147)
> 	at org.apache.myfaces.lifecycle.RestoreViewExecutor.execute(RestoreViewExecutor.java:85)
> 	at org.apache.myfaces.lifecycle.LifecycleImpl.executePhase(LifecycleImpl.java:95)
> 	at org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:70)
> 	at javax.faces.webapp.FacesServlet.service(FacesServlet.java:137)
> 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> 	at org.ajax4jsf.framework.ajax.xmlfilter.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:96)
> 	at org.ajax4jsf.framework.ajax.xmlfilter.BaseFilter.doFilter(BaseFilter.java:220)
> 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> 	at org.apache.myfaces.webapp.filter.ExtensionsFilter.doFilter(ExtensionsFilter.java:147)
> 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> 	at net.parkplatz.rr.webframework.Doorkeeper.doFilter(Doorkeeper.java:185)
> 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> 	at org.springframework.orm.jdo.support.OpenPersistenceManagerInViewFilter.doFilterInternal(OpenPersistenceManagerInViewFilter.java:106)
> 	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:77)
> 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> 	at org.netbeans.modules.web.monitor.server.MonitorFilter.doFilter(MonitorFilter.java:390)
> 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> 	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> 	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
> 	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
> 	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> 	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> 	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:263)
> 	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
> 	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:584)
> 	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
> 	at java.lang.Thread.run(Thread.java:619)
> Caused by: javax.crypto.BadPaddingException: Given final block not properly padded
> 	at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
> 	at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
> 	at com.sun.crypto.provider.DESCipher.engineDoFinal(DashoA13*..)
> 	at javax.crypto.Cipher.doFinal(DashoA13*..)
> 	at org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:366)
> 	... 48 more
> Caused by: javax.crypto.BadPaddingException: Given final block not properly padded
> 	at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
> 	at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
> 	at com.sun.crypto.provider.DESCipher.engineDoFinal(DashoA13*..)
> 	at javax.crypto.Cipher.doFinal(DashoA13*..)
> 	at org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:366)
> 	at org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:408)
> 	at org.apache.myfaces.shared_impl.util.StateUtils.decrypt(StateUtils.java:288)
> 	at org.apache.myfaces.shared_impl.util.StateUtils.reconstruct(StateUtils.java:237)
> 	at org.apache.myfaces.renderkit.html.HtmlResponseStateManager.getTreeStructureToRestore(HtmlResponseStateManager.java:129)
> 	at javax.faces.render.ResponseStateManager.getState(ResponseStateManager.java:81)
> 	at org.apache.myfaces.application.jsp.JspStateManagerImpl.restoreView(JspStateManagerImpl.java:283)
> 	at org.ajax4jsf.framework.ajax.AjaxStateManager.restoreView(AjaxStateManager.java:83)
> 	at org.apache.myfaces.application.jsp.JspViewHandlerImpl.restoreView(JspViewHandlerImpl.java:354)
> 	at com.sun.facelets.FaceletViewHandler.restoreView(FaceletViewHandler.java:317)
> 	at org.ajax4jsf.framework.ViewHandlerWrapper.restoreView(ViewHandlerWrapper.java:116)
> 	at org.ajax4jsf.framework.ajax.AjaxViewHandler.restoreView(AjaxViewHandler.java:147)
> 	at org.jenia.faces.template.handler.ViewHandler.restoreView(ViewHandler.java:263)
> 	at com.sun.facelets.FaceletViewHandler.restoreView(FaceletViewHandler.java:317)
> 	at org.ajax4jsf.framework.ViewHandlerWrapper.restoreView(ViewHandlerWrapper.java:116)
> 	at org.ajax4jsf.framework.ajax.AjaxViewHandler.restoreView(AjaxViewHandler.java:147)
> 	at org.apache.myfaces.lifecycle.RestoreViewExecutor.execute(RestoreViewExecutor.java:85)
> 	at org.apache.myfaces.lifecycle.LifecycleImpl.executePhase(LifecycleImpl.java:95)
> 	at org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:70)
> 	at javax.faces.webapp.FacesServlet.service(FacesServlet.java:137)
> This was reported on the MyFaces users list using MyFaces 1.2.0 and is still present
in 1.2.1-SNAPSHOT
> The fix is to correct the bug in the line from org.apache.myfaces.util.StateUtils.isSecure()
quoted above, so that it reads:
> return "true".equals(ctx.getInitParameter(USE_ENCRYPTION));

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message