You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Robert Munteanu (Jira)" <ji...@apache.org> on 2020/05/11 15:41:00 UTC

[jira] [Closed] (SLING-9433) Do not log stack trace in case of cookies with no match in the token store

     [ https://issues.apache.org/jira/browse/SLING-9433?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Robert Munteanu closed SLING-9433.
----------------------------------

> Do not log stack trace in case of cookies with no match in the token store
> --------------------------------------------------------------------------
>
>                 Key: SLING-9433
>                 URL: https://issues.apache.org/jira/browse/SLING-9433
>             Project: Sling
>          Issue Type: Improvement
>          Components: Authentication
>            Reporter: Robert Munteanu
>            Assignee: Robert Munteanu
>            Priority: Major
>             Fix For: Form Based Authentication 1.0.20
>
>
> When a cookie does not have a match in the token store, a stack trace is logged at error level
> {noformat}08.05.2020 14:21:42.991 *ERROR* [qtp804599815-226] org.apache.sling.auth.form.impl.TokenStore No installed provider supports this key: (null)
> java.security.InvalidKeyException: No installed provider supports this key: (null)
> 	at java.base/javax.crypto.Mac.chooseProvider(Mac.java:392)
> 	at java.base/javax.crypto.Mac.init(Mac.java:435)
> 	at org.apache.sling.auth.form.impl.TokenStore.encode(TokenStore.java:174) [org.apache.sling.auth.form:1.0.19.SNAPSHOT]
> 	at org.apache.sling.auth.form.impl.TokenStore.isValid(TokenStore.java:229) [org.apache.sling.auth.form:1.0.19.SNAPSHOT]
> 	at org.apache.sling.auth.form.impl.FormAuthenticationHandler.extractCredentials(FormAuthenticationHandler.java:195) [org.apache.sling.auth.form:1.0.19.SNAPSHOT]{noformat}
> (snip)
> This is easily preventable, as we should not be passing a null {{SecretKey}} further. Instead, we should log an ERROR and consider the cookie as invalid.
> Steps to reproduce:
> 1. Start up Sling Starter
> 2. Log in
> 3. Stop Sling Starter
> 4. Remove sling directory
> 5. Start Sling Starter
> 6. Visit front page
> Alternatively, save a Sling login cookie ( sling.formauth=... ) and send it via a curl call to a fresh instance of Sling.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)