You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@myfaces.apache.org by "Jon Harley (JIRA)" <de...@myfaces.apache.org> on 2007/12/10 19:19:43 UTC
[jira] Created: (MYFACES-1786) Encryption is enabled by default,
causing problems if no secret is set
Encryption is enabled by default, causing problems if no secret is set
----------------------------------------------------------------------
Key: MYFACES-1786
URL: https://issues.apache.org/jira/browse/MYFACES-1786
Project: MyFaces Core
Issue Type: Bug
Components: General
Affects Versions: 1.2.0, 1.2.1-SNAPSHOT
Environment: Any
Reporter: Jon Harley
Priority: Minor
According to the documentation of org.apache.myfaces.util.StateUtils "To enable encryption, a secret must be provided. StateUtils looks first for the org.apache.myfaces.secret init param, then system properties. If a secret cannot be located, encryption is not used."
This is the correct behaviour but in fact the isSecure() method of that class includes:
return ! "false".equals(ctx.getInitParameter(USE_ENCRYPTION));
This enables encryption in ALL cases except where the init parameter is PRESENT and EQUAL to "false". For example if it is absent, encryption is enabled. It looks as though a secret is then generated.
This causes a problem because if the web container is restarted, a new secret is generated. Existing users who then submit any view encoded with the old secret hit an exception in the restore view phase which looks like this, at least in my environment:
javax.faces.FacesException: javax.crypto.BadPaddingException: Given final block not properly padded
at org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:370)
at org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:408)
at org.apache.myfaces.shared_impl.util.StateUtils.decrypt(StateUtils.java:288)
at org.apache.myfaces.shared_impl.util.StateUtils.reconstruct(StateUtils.java:237)
at org.apache.myfaces.renderkit.html.HtmlResponseStateManager.getTreeStructureToRestore(HtmlResponseStateManager.java:129)
at javax.faces.render.ResponseStateManager.getState(ResponseStateManager.java:81)
at org.apache.myfaces.application.jsp.JspStateManagerImpl.restoreView(JspStateManagerImpl.java:283)
at org.ajax4jsf.framework.ajax.AjaxStateManager.restoreView(AjaxStateManager.java:83)
at org.apache.myfaces.application.jsp.JspViewHandlerImpl.restoreView(JspViewHandlerImpl.java:354)
at com.sun.facelets.FaceletViewHandler.restoreView(FaceletViewHandler.java:317)
at org.ajax4jsf.framework.ViewHandlerWrapper.restoreView(ViewHandlerWrapper.java:116)
at org.ajax4jsf.framework.ajax.AjaxViewHandler.restoreView(AjaxViewHandler.java:147)
at org.jenia.faces.template.handler.ViewHandler.restoreView(ViewHandler.java:263)
at com.sun.facelets.FaceletViewHandler.restoreView(FaceletViewHandler.java:317)
at org.ajax4jsf.framework.ViewHandlerWrapper.restoreView(ViewHandlerWrapper.java:116)
at org.ajax4jsf.framework.ajax.AjaxViewHandler.restoreView(AjaxViewHandler.java:147)
at org.apache.myfaces.lifecycle.RestoreViewExecutor.execute(RestoreViewExecutor.java:85)
at org.apache.myfaces.lifecycle.LifecycleImpl.executePhase(LifecycleImpl.java:95)
at org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:70)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:137)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.ajax4jsf.framework.ajax.xmlfilter.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:96)
at org.ajax4jsf.framework.ajax.xmlfilter.BaseFilter.doFilter(BaseFilter.java:220)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.myfaces.webapp.filter.ExtensionsFilter.doFilter(ExtensionsFilter.java:147)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at net.parkplatz.rr.webframework.Doorkeeper.doFilter(Doorkeeper.java:185)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.springframework.orm.jdo.support.OpenPersistenceManagerInViewFilter.doFilterInternal(OpenPersistenceManagerInViewFilter.java:106)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:77)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.netbeans.modules.web.monitor.server.MonitorFilter.doFilter(MonitorFilter.java:390)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:263)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:584)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded
at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
at com.sun.crypto.provider.DESCipher.engineDoFinal(DashoA13*..)
at javax.crypto.Cipher.doFinal(DashoA13*..)
at org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:366)
... 48 more
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded
at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
at com.sun.crypto.provider.DESCipher.engineDoFinal(DashoA13*..)
at javax.crypto.Cipher.doFinal(DashoA13*..)
at org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:366)
at org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:408)
at org.apache.myfaces.shared_impl.util.StateUtils.decrypt(StateUtils.java:288)
at org.apache.myfaces.shared_impl.util.StateUtils.reconstruct(StateUtils.java:237)
at org.apache.myfaces.renderkit.html.HtmlResponseStateManager.getTreeStructureToRestore(HtmlResponseStateManager.java:129)
at javax.faces.render.ResponseStateManager.getState(ResponseStateManager.java:81)
at org.apache.myfaces.application.jsp.JspStateManagerImpl.restoreView(JspStateManagerImpl.java:283)
at org.ajax4jsf.framework.ajax.AjaxStateManager.restoreView(AjaxStateManager.java:83)
at org.apache.myfaces.application.jsp.JspViewHandlerImpl.restoreView(JspViewHandlerImpl.java:354)
at com.sun.facelets.FaceletViewHandler.restoreView(FaceletViewHandler.java:317)
at org.ajax4jsf.framework.ViewHandlerWrapper.restoreView(ViewHandlerWrapper.java:116)
at org.ajax4jsf.framework.ajax.AjaxViewHandler.restoreView(AjaxViewHandler.java:147)
at org.jenia.faces.template.handler.ViewHandler.restoreView(ViewHandler.java:263)
at com.sun.facelets.FaceletViewHandler.restoreView(FaceletViewHandler.java:317)
at org.ajax4jsf.framework.ViewHandlerWrapper.restoreView(ViewHandlerWrapper.java:116)
at org.ajax4jsf.framework.ajax.AjaxViewHandler.restoreView(AjaxViewHandler.java:147)
at org.apache.myfaces.lifecycle.RestoreViewExecutor.execute(RestoreViewExecutor.java:85)
at org.apache.myfaces.lifecycle.LifecycleImpl.executePhase(LifecycleImpl.java:95)
at org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:70)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:137)
This was reported on the MyFaces users list using MyFaces 1.2.0 and is still present in 1.2.1-SNAPSHOT
The fix is to correct the bug in the line from org.apache.myfaces.util.StateUtils.isSecure() quoted above, so that it reads:
return "true".equals(ctx.getInitParameter(USE_ENCRYPTION));
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (MYFACES-1786) Encryption is enabled by default,
causing problems if no secret is set
Posted by "Simon Kitching (JIRA)" <de...@myfaces.apache.org>.
[ https://issues.apache.org/jira/browse/MYFACES-1786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12663778#action_12663778 ]
Simon Kitching commented on MYFACES-1786:
-----------------------------------------
I don't believe this is a bug at all. IMO, state *should* be encrypted by default; no system should default to being insecure.
And it also seems reasonable that when the secret is auto-generated then it should be regenerated on restart. In fact, there is no obvious alternative; I can't think of anywhere to store app-scope data over a webserver restart.
The real solution here seems for people to just define a constant secret for their webapp, ie define init-parameter
org.apache.myfaces.SECRET
in the web.xml file.
Possibly a WARN message could be output in the startup logs to tell administrators to set that property in web.xml.
> Encryption is enabled by default, causing problems if no secret is set
> ----------------------------------------------------------------------
>
> Key: MYFACES-1786
> URL: https://issues.apache.org/jira/browse/MYFACES-1786
> Project: MyFaces Core
> Issue Type: Bug
> Components: General
> Affects Versions: 1.2.0, 1.2.1-SNAPSHOT
> Environment: Any
> Reporter: Jon Harley
> Priority: Minor
>
> According to the documentation of org.apache.myfaces.util.StateUtils "To enable encryption, a secret must be provided. StateUtils looks first for the org.apache.myfaces.secret init param, then system properties. If a secret cannot be located, encryption is not used."
> This is the correct behaviour but in fact the isSecure() method of that class includes:
> return ! "false".equals(ctx.getInitParameter(USE_ENCRYPTION));
> This enables encryption in ALL cases except where the init parameter is PRESENT and EQUAL to "false". For example if it is absent, encryption is enabled. It looks as though a secret is then generated.
> This causes a problem because if the web container is restarted, a new secret is generated. Existing users who then submit any view encoded with the old secret hit an exception in the restore view phase which looks like this, at least in my environment:
> javax.faces.FacesException: javax.crypto.BadPaddingException: Given final block not properly padded
> at org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:370)
> at org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:408)
> at org.apache.myfaces.shared_impl.util.StateUtils.decrypt(StateUtils.java:288)
> at org.apache.myfaces.shared_impl.util.StateUtils.reconstruct(StateUtils.java:237)
> at org.apache.myfaces.renderkit.html.HtmlResponseStateManager.getTreeStructureToRestore(HtmlResponseStateManager.java:129)
> at javax.faces.render.ResponseStateManager.getState(ResponseStateManager.java:81)
> at org.apache.myfaces.application.jsp.JspStateManagerImpl.restoreView(JspStateManagerImpl.java:283)
> at org.ajax4jsf.framework.ajax.AjaxStateManager.restoreView(AjaxStateManager.java:83)
> at org.apache.myfaces.application.jsp.JspViewHandlerImpl.restoreView(JspViewHandlerImpl.java:354)
> at com.sun.facelets.FaceletViewHandler.restoreView(FaceletViewHandler.java:317)
> at org.ajax4jsf.framework.ViewHandlerWrapper.restoreView(ViewHandlerWrapper.java:116)
> at org.ajax4jsf.framework.ajax.AjaxViewHandler.restoreView(AjaxViewHandler.java:147)
> at org.jenia.faces.template.handler.ViewHandler.restoreView(ViewHandler.java:263)
> at com.sun.facelets.FaceletViewHandler.restoreView(FaceletViewHandler.java:317)
> at org.ajax4jsf.framework.ViewHandlerWrapper.restoreView(ViewHandlerWrapper.java:116)
> at org.ajax4jsf.framework.ajax.AjaxViewHandler.restoreView(AjaxViewHandler.java:147)
> at org.apache.myfaces.lifecycle.RestoreViewExecutor.execute(RestoreViewExecutor.java:85)
> at org.apache.myfaces.lifecycle.LifecycleImpl.executePhase(LifecycleImpl.java:95)
> at org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:70)
> at javax.faces.webapp.FacesServlet.service(FacesServlet.java:137)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.ajax4jsf.framework.ajax.xmlfilter.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:96)
> at org.ajax4jsf.framework.ajax.xmlfilter.BaseFilter.doFilter(BaseFilter.java:220)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.myfaces.webapp.filter.ExtensionsFilter.doFilter(ExtensionsFilter.java:147)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at net.parkplatz.rr.webframework.Doorkeeper.doFilter(Doorkeeper.java:185)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.springframework.orm.jdo.support.OpenPersistenceManagerInViewFilter.doFilterInternal(OpenPersistenceManagerInViewFilter.java:106)
> at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:77)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.netbeans.modules.web.monitor.server.MonitorFilter.doFilter(MonitorFilter.java:390)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:263)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:584)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
> at java.lang.Thread.run(Thread.java:619)
> Caused by: javax.crypto.BadPaddingException: Given final block not properly padded
> at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
> at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
> at com.sun.crypto.provider.DESCipher.engineDoFinal(DashoA13*..)
> at javax.crypto.Cipher.doFinal(DashoA13*..)
> at org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:366)
> ... 48 more
> Caused by: javax.crypto.BadPaddingException: Given final block not properly padded
> at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
> at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
> at com.sun.crypto.provider.DESCipher.engineDoFinal(DashoA13*..)
> at javax.crypto.Cipher.doFinal(DashoA13*..)
> at org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:366)
> at org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:408)
> at org.apache.myfaces.shared_impl.util.StateUtils.decrypt(StateUtils.java:288)
> at org.apache.myfaces.shared_impl.util.StateUtils.reconstruct(StateUtils.java:237)
> at org.apache.myfaces.renderkit.html.HtmlResponseStateManager.getTreeStructureToRestore(HtmlResponseStateManager.java:129)
> at javax.faces.render.ResponseStateManager.getState(ResponseStateManager.java:81)
> at org.apache.myfaces.application.jsp.JspStateManagerImpl.restoreView(JspStateManagerImpl.java:283)
> at org.ajax4jsf.framework.ajax.AjaxStateManager.restoreView(AjaxStateManager.java:83)
> at org.apache.myfaces.application.jsp.JspViewHandlerImpl.restoreView(JspViewHandlerImpl.java:354)
> at com.sun.facelets.FaceletViewHandler.restoreView(FaceletViewHandler.java:317)
> at org.ajax4jsf.framework.ViewHandlerWrapper.restoreView(ViewHandlerWrapper.java:116)
> at org.ajax4jsf.framework.ajax.AjaxViewHandler.restoreView(AjaxViewHandler.java:147)
> at org.jenia.faces.template.handler.ViewHandler.restoreView(ViewHandler.java:263)
> at com.sun.facelets.FaceletViewHandler.restoreView(FaceletViewHandler.java:317)
> at org.ajax4jsf.framework.ViewHandlerWrapper.restoreView(ViewHandlerWrapper.java:116)
> at org.ajax4jsf.framework.ajax.AjaxViewHandler.restoreView(AjaxViewHandler.java:147)
> at org.apache.myfaces.lifecycle.RestoreViewExecutor.execute(RestoreViewExecutor.java:85)
> at org.apache.myfaces.lifecycle.LifecycleImpl.executePhase(LifecycleImpl.java:95)
> at org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:70)
> at javax.faces.webapp.FacesServlet.service(FacesServlet.java:137)
> This was reported on the MyFaces users list using MyFaces 1.2.0 and is still present in 1.2.1-SNAPSHOT
> The fix is to correct the bug in the line from org.apache.myfaces.util.StateUtils.isSecure() quoted above, so that it reads:
> return "true".equals(ctx.getInitParameter(USE_ENCRYPTION));
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (MYFACES-1786) Encryption is enabled by default,
causing problems if no secret is set
Posted by "Simon Kitching (JIRA)" <de...@myfaces.apache.org>.
[ https://issues.apache.org/jira/browse/MYFACES-1786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12663782#action_12663782 ]
Simon Kitching commented on MYFACES-1786:
-----------------------------------------
Oh, and possibly the code could avoid logging this exception, instead catching all javax.crypto exceptions in StateUtils.symmetric() and instead just logging "INFO: postback could not be decrypted; ignoring data".
> Encryption is enabled by default, causing problems if no secret is set
> ----------------------------------------------------------------------
>
> Key: MYFACES-1786
> URL: https://issues.apache.org/jira/browse/MYFACES-1786
> Project: MyFaces Core
> Issue Type: Bug
> Components: General
> Affects Versions: 1.2.0, 1.2.1-SNAPSHOT
> Environment: Any
> Reporter: Jon Harley
> Priority: Minor
>
> According to the documentation of org.apache.myfaces.util.StateUtils "To enable encryption, a secret must be provided. StateUtils looks first for the org.apache.myfaces.secret init param, then system properties. If a secret cannot be located, encryption is not used."
> This is the correct behaviour but in fact the isSecure() method of that class includes:
> return ! "false".equals(ctx.getInitParameter(USE_ENCRYPTION));
> This enables encryption in ALL cases except where the init parameter is PRESENT and EQUAL to "false". For example if it is absent, encryption is enabled. It looks as though a secret is then generated.
> This causes a problem because if the web container is restarted, a new secret is generated. Existing users who then submit any view encoded with the old secret hit an exception in the restore view phase which looks like this, at least in my environment:
> javax.faces.FacesException: javax.crypto.BadPaddingException: Given final block not properly padded
> at org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:370)
> at org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:408)
> at org.apache.myfaces.shared_impl.util.StateUtils.decrypt(StateUtils.java:288)
> at org.apache.myfaces.shared_impl.util.StateUtils.reconstruct(StateUtils.java:237)
> at org.apache.myfaces.renderkit.html.HtmlResponseStateManager.getTreeStructureToRestore(HtmlResponseStateManager.java:129)
> at javax.faces.render.ResponseStateManager.getState(ResponseStateManager.java:81)
> at org.apache.myfaces.application.jsp.JspStateManagerImpl.restoreView(JspStateManagerImpl.java:283)
> at org.ajax4jsf.framework.ajax.AjaxStateManager.restoreView(AjaxStateManager.java:83)
> at org.apache.myfaces.application.jsp.JspViewHandlerImpl.restoreView(JspViewHandlerImpl.java:354)
> at com.sun.facelets.FaceletViewHandler.restoreView(FaceletViewHandler.java:317)
> at org.ajax4jsf.framework.ViewHandlerWrapper.restoreView(ViewHandlerWrapper.java:116)
> at org.ajax4jsf.framework.ajax.AjaxViewHandler.restoreView(AjaxViewHandler.java:147)
> at org.jenia.faces.template.handler.ViewHandler.restoreView(ViewHandler.java:263)
> at com.sun.facelets.FaceletViewHandler.restoreView(FaceletViewHandler.java:317)
> at org.ajax4jsf.framework.ViewHandlerWrapper.restoreView(ViewHandlerWrapper.java:116)
> at org.ajax4jsf.framework.ajax.AjaxViewHandler.restoreView(AjaxViewHandler.java:147)
> at org.apache.myfaces.lifecycle.RestoreViewExecutor.execute(RestoreViewExecutor.java:85)
> at org.apache.myfaces.lifecycle.LifecycleImpl.executePhase(LifecycleImpl.java:95)
> at org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:70)
> at javax.faces.webapp.FacesServlet.service(FacesServlet.java:137)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.ajax4jsf.framework.ajax.xmlfilter.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:96)
> at org.ajax4jsf.framework.ajax.xmlfilter.BaseFilter.doFilter(BaseFilter.java:220)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.myfaces.webapp.filter.ExtensionsFilter.doFilter(ExtensionsFilter.java:147)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at net.parkplatz.rr.webframework.Doorkeeper.doFilter(Doorkeeper.java:185)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.springframework.orm.jdo.support.OpenPersistenceManagerInViewFilter.doFilterInternal(OpenPersistenceManagerInViewFilter.java:106)
> at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:77)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.netbeans.modules.web.monitor.server.MonitorFilter.doFilter(MonitorFilter.java:390)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:263)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:584)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
> at java.lang.Thread.run(Thread.java:619)
> Caused by: javax.crypto.BadPaddingException: Given final block not properly padded
> at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
> at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
> at com.sun.crypto.provider.DESCipher.engineDoFinal(DashoA13*..)
> at javax.crypto.Cipher.doFinal(DashoA13*..)
> at org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:366)
> ... 48 more
> Caused by: javax.crypto.BadPaddingException: Given final block not properly padded
> at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
> at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
> at com.sun.crypto.provider.DESCipher.engineDoFinal(DashoA13*..)
> at javax.crypto.Cipher.doFinal(DashoA13*..)
> at org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:366)
> at org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:408)
> at org.apache.myfaces.shared_impl.util.StateUtils.decrypt(StateUtils.java:288)
> at org.apache.myfaces.shared_impl.util.StateUtils.reconstruct(StateUtils.java:237)
> at org.apache.myfaces.renderkit.html.HtmlResponseStateManager.getTreeStructureToRestore(HtmlResponseStateManager.java:129)
> at javax.faces.render.ResponseStateManager.getState(ResponseStateManager.java:81)
> at org.apache.myfaces.application.jsp.JspStateManagerImpl.restoreView(JspStateManagerImpl.java:283)
> at org.ajax4jsf.framework.ajax.AjaxStateManager.restoreView(AjaxStateManager.java:83)
> at org.apache.myfaces.application.jsp.JspViewHandlerImpl.restoreView(JspViewHandlerImpl.java:354)
> at com.sun.facelets.FaceletViewHandler.restoreView(FaceletViewHandler.java:317)
> at org.ajax4jsf.framework.ViewHandlerWrapper.restoreView(ViewHandlerWrapper.java:116)
> at org.ajax4jsf.framework.ajax.AjaxViewHandler.restoreView(AjaxViewHandler.java:147)
> at org.jenia.faces.template.handler.ViewHandler.restoreView(ViewHandler.java:263)
> at com.sun.facelets.FaceletViewHandler.restoreView(FaceletViewHandler.java:317)
> at org.ajax4jsf.framework.ViewHandlerWrapper.restoreView(ViewHandlerWrapper.java:116)
> at org.ajax4jsf.framework.ajax.AjaxViewHandler.restoreView(AjaxViewHandler.java:147)
> at org.apache.myfaces.lifecycle.RestoreViewExecutor.execute(RestoreViewExecutor.java:85)
> at org.apache.myfaces.lifecycle.LifecycleImpl.executePhase(LifecycleImpl.java:95)
> at org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:70)
> at javax.faces.webapp.FacesServlet.service(FacesServlet.java:137)
> This was reported on the MyFaces users list using MyFaces 1.2.0 and is still present in 1.2.1-SNAPSHOT
> The fix is to correct the bug in the line from org.apache.myfaces.util.StateUtils.isSecure() quoted above, so that it reads:
> return "true".equals(ctx.getInitParameter(USE_ENCRYPTION));
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (MYFACES-1786) Encryption is enabled by default,
causing problems if no secret is set
Posted by "Jon Harley (JIRA)" <de...@myfaces.apache.org>.
[ https://issues.apache.org/jira/browse/MYFACES-1786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12663783#action_12663783 ]
Jon Harley commented on MYFACES-1786:
-------------------------------------
You have a point about defaulting to secure, but forcing people to add init-parameters to avoid broken behaviour is against the spirit of convention-over-configuration which seems to be the direction JSF is trying to go in.
And if requests are *expected* to fail given the default behaviour (in this case, a user is served a page before an app restart, then clicks on a link after the restart), then that failure should be handled by MyFaces - rather than throwing some bizarre exception. Exceptions should only be for unexpected behaviour, not default behaviour.
Anyhow, currently there is nothing to alert the administrators that the problem may occur, and the documentation flatly contradicts what MyFaces actually does - so there is definitely an issue to be fixed.
ISTM there are two possible solutions to this issue: either (a) fix the code to match the existing documentation, or (b) fix the documentation and gracefully handle the errors which inevitably occur given the default configuration.
> Encryption is enabled by default, causing problems if no secret is set
> ----------------------------------------------------------------------
>
> Key: MYFACES-1786
> URL: https://issues.apache.org/jira/browse/MYFACES-1786
> Project: MyFaces Core
> Issue Type: Bug
> Components: General
> Affects Versions: 1.2.0, 1.2.1-SNAPSHOT
> Environment: Any
> Reporter: Jon Harley
> Priority: Minor
>
> According to the documentation of org.apache.myfaces.util.StateUtils "To enable encryption, a secret must be provided. StateUtils looks first for the org.apache.myfaces.secret init param, then system properties. If a secret cannot be located, encryption is not used."
> This is the correct behaviour but in fact the isSecure() method of that class includes:
> return ! "false".equals(ctx.getInitParameter(USE_ENCRYPTION));
> This enables encryption in ALL cases except where the init parameter is PRESENT and EQUAL to "false". For example if it is absent, encryption is enabled. It looks as though a secret is then generated.
> This causes a problem because if the web container is restarted, a new secret is generated. Existing users who then submit any view encoded with the old secret hit an exception in the restore view phase which looks like this, at least in my environment:
> javax.faces.FacesException: javax.crypto.BadPaddingException: Given final block not properly padded
> at org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:370)
> at org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:408)
> at org.apache.myfaces.shared_impl.util.StateUtils.decrypt(StateUtils.java:288)
> at org.apache.myfaces.shared_impl.util.StateUtils.reconstruct(StateUtils.java:237)
> at org.apache.myfaces.renderkit.html.HtmlResponseStateManager.getTreeStructureToRestore(HtmlResponseStateManager.java:129)
> at javax.faces.render.ResponseStateManager.getState(ResponseStateManager.java:81)
> at org.apache.myfaces.application.jsp.JspStateManagerImpl.restoreView(JspStateManagerImpl.java:283)
> at org.ajax4jsf.framework.ajax.AjaxStateManager.restoreView(AjaxStateManager.java:83)
> at org.apache.myfaces.application.jsp.JspViewHandlerImpl.restoreView(JspViewHandlerImpl.java:354)
> at com.sun.facelets.FaceletViewHandler.restoreView(FaceletViewHandler.java:317)
> at org.ajax4jsf.framework.ViewHandlerWrapper.restoreView(ViewHandlerWrapper.java:116)
> at org.ajax4jsf.framework.ajax.AjaxViewHandler.restoreView(AjaxViewHandler.java:147)
> at org.jenia.faces.template.handler.ViewHandler.restoreView(ViewHandler.java:263)
> at com.sun.facelets.FaceletViewHandler.restoreView(FaceletViewHandler.java:317)
> at org.ajax4jsf.framework.ViewHandlerWrapper.restoreView(ViewHandlerWrapper.java:116)
> at org.ajax4jsf.framework.ajax.AjaxViewHandler.restoreView(AjaxViewHandler.java:147)
> at org.apache.myfaces.lifecycle.RestoreViewExecutor.execute(RestoreViewExecutor.java:85)
> at org.apache.myfaces.lifecycle.LifecycleImpl.executePhase(LifecycleImpl.java:95)
> at org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:70)
> at javax.faces.webapp.FacesServlet.service(FacesServlet.java:137)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.ajax4jsf.framework.ajax.xmlfilter.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:96)
> at org.ajax4jsf.framework.ajax.xmlfilter.BaseFilter.doFilter(BaseFilter.java:220)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.myfaces.webapp.filter.ExtensionsFilter.doFilter(ExtensionsFilter.java:147)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at net.parkplatz.rr.webframework.Doorkeeper.doFilter(Doorkeeper.java:185)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.springframework.orm.jdo.support.OpenPersistenceManagerInViewFilter.doFilterInternal(OpenPersistenceManagerInViewFilter.java:106)
> at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:77)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.netbeans.modules.web.monitor.server.MonitorFilter.doFilter(MonitorFilter.java:390)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:263)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:584)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
> at java.lang.Thread.run(Thread.java:619)
> Caused by: javax.crypto.BadPaddingException: Given final block not properly padded
> at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
> at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
> at com.sun.crypto.provider.DESCipher.engineDoFinal(DashoA13*..)
> at javax.crypto.Cipher.doFinal(DashoA13*..)
> at org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:366)
> ... 48 more
> Caused by: javax.crypto.BadPaddingException: Given final block not properly padded
> at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
> at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
> at com.sun.crypto.provider.DESCipher.engineDoFinal(DashoA13*..)
> at javax.crypto.Cipher.doFinal(DashoA13*..)
> at org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:366)
> at org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:408)
> at org.apache.myfaces.shared_impl.util.StateUtils.decrypt(StateUtils.java:288)
> at org.apache.myfaces.shared_impl.util.StateUtils.reconstruct(StateUtils.java:237)
> at org.apache.myfaces.renderkit.html.HtmlResponseStateManager.getTreeStructureToRestore(HtmlResponseStateManager.java:129)
> at javax.faces.render.ResponseStateManager.getState(ResponseStateManager.java:81)
> at org.apache.myfaces.application.jsp.JspStateManagerImpl.restoreView(JspStateManagerImpl.java:283)
> at org.ajax4jsf.framework.ajax.AjaxStateManager.restoreView(AjaxStateManager.java:83)
> at org.apache.myfaces.application.jsp.JspViewHandlerImpl.restoreView(JspViewHandlerImpl.java:354)
> at com.sun.facelets.FaceletViewHandler.restoreView(FaceletViewHandler.java:317)
> at org.ajax4jsf.framework.ViewHandlerWrapper.restoreView(ViewHandlerWrapper.java:116)
> at org.ajax4jsf.framework.ajax.AjaxViewHandler.restoreView(AjaxViewHandler.java:147)
> at org.jenia.faces.template.handler.ViewHandler.restoreView(ViewHandler.java:263)
> at com.sun.facelets.FaceletViewHandler.restoreView(FaceletViewHandler.java:317)
> at org.ajax4jsf.framework.ViewHandlerWrapper.restoreView(ViewHandlerWrapper.java:116)
> at org.ajax4jsf.framework.ajax.AjaxViewHandler.restoreView(AjaxViewHandler.java:147)
> at org.apache.myfaces.lifecycle.RestoreViewExecutor.execute(RestoreViewExecutor.java:85)
> at org.apache.myfaces.lifecycle.LifecycleImpl.executePhase(LifecycleImpl.java:95)
> at org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:70)
> at javax.faces.webapp.FacesServlet.service(FacesServlet.java:137)
> This was reported on the MyFaces users list using MyFaces 1.2.0 and is still present in 1.2.1-SNAPSHOT
> The fix is to correct the bug in the line from org.apache.myfaces.util.StateUtils.isSecure() quoted above, so that it reads:
> return "true".equals(ctx.getInitParameter(USE_ENCRYPTION));
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.