You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Les Hazlewood (JIRA)" <ji...@apache.org> on 2010/07/15 20:05:51 UTC

[jira] Commented: (SHIRO-183) Unable to correctly extract the Initialization Vector or ciphertext

    [ https://issues.apache.org/jira/browse/SHIRO-183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12888871#action_12888871 ] 

Les Hazlewood commented on SHIRO-183:
-------------------------------------

Hi there,

It is quite possible this is not be a bug - this can happen if a remember me cookie was created before upgrading to Shiro 1.0.0 and then the same cookie was read during a request after the upgrade.  Or it can happen if a remember me cookie was created when securityManager.rememberMeManager.cipherService.generateInitializationVectors = false and then it was set to true at a later time, the read cookie would fail to be decrypted.

Odds are very high the first scenario occurred and caused you to see these warning messages.  If so,  you can completely ignore these warnings - the next time a user logs in, the faulty cookie will be deleted and reset with a new (correct) one.

Setting a cipherKey is recommended to ensure that no-one else can decrypt your data (instead of using the default cipherKey which can known since Shiro's source code is readily available).  The cipherKey itself has nothing to do with how the initialization vector is generated or read, so setting the key, while still a good thing to do, won't make this warning go away.

If you still think this is a bug, do you have a test case to verify the issue?  It is impossible for us to track down the issue unless we can re-create it.

> Unable to correctly extract the Initialization Vector or ciphertext
> -------------------------------------------------------------------
>
>                 Key: SHIRO-183
>                 URL: https://issues.apache.org/jira/browse/SHIRO-183
>             Project: Shiro
>          Issue Type: Bug
>          Components: Subject
>    Affects Versions: 1.0.0
>         Environment: GNU/Linux Debian Lenny, Java 1.6
>            Reporter: RynekMedyczny.pl
>
> I obtain following exception while entering the secure page:
>   [java] 101637 [http-8080-1] WARN org.apache.shiro.mgt.DefaultSecurityManager - Delegate RememberMeManager instance of type [org.apache.shiro.web.mgt.CookieRememberMeManager] threw an exception during getRememberedPrincipals().
>      [java] org.apache.shiro.crypto.CryptoException: Unable to correctly extract the Initialization Vector or ciphertext.
>      [java] 	at org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:381)
>      [java] 	at org.apache.shiro.mgt.AbstractRememberMeManager.decrypt(AbstractRememberMeManager.java:491)
>      [java] 	at org.apache.shiro.mgt.AbstractRememberMeManager.convertBytesToPrincipals(AbstractRememberMeManager.java:431)
>      [java] 	at org.apache.shiro.mgt.AbstractRememberMeManager.getRememberedPrincipals(AbstractRememberMeManager.java:398)
>      [java] 	at org.apache.shiro.mgt.DefaultSecurityManager.getRememberedIdentity(DefaultSecurityManager.java:567)
>      [java] 	at org.apache.shiro.mgt.DefaultSecurityManager.resolvePrincipals(DefaultSecurityManager.java:434)
>      [java] 	at org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:335)
>      [java] 	at org.apache.shiro.subject.Subject$Builder.buildSubject(Subject.java:819)
>      [java] 	at org.apache.shiro.web.subject.WebSubject$Builder.buildWebSubject(WebSubject.java:149)
>      [java] 	at org.apache.shiro.web.servlet.AbstractShiroFilter.createSubject(AbstractShiroFilter.java:202)
>      [java] 	at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:269)
>      [java] 	at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:83)
>      [java] 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>      [java] 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>      [java] 	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>      [java] 	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>      [java] 	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>      [java] 	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>      [java] 	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>      [java] 	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
>      [java] 	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:852)
>      [java] 	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
>      [java] 	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
>      [java] 	at java.lang.Thread.run(Thread.java:619)
>      [java] Caused by: java.lang.ArrayIndexOutOfBoundsException
>      [java] 	at java.lang.System.arraycopy(Native Method)
>      [java] 	at org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:373)
>      [java] 	... 23 more
> Of course I have set the "securityManager.rememberMeManager.cipherKey" in shiro.ini but it did not help.
> kind regards.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.