Misagh, I discovered that our app vulnerability scanner is creating the 500 errors with a bad request; however, I believe a better practice would be for CAS to handle these errors and return a 400 (Bad Request) HTTP response code instead of 500, which indicates there is an unhandled exception in the code.
Can CAS be updated to better handle these errors and return a more appropriate response? Thanks, Adam On Mon, Jan 8, 2018 at 2:39 PM, Misagh Moayyed <[email protected]> wrote: > This is about a bad webflow execution key, indicated by the execution > parameter that is badly provided or parsed. Either you have someone trying > to POST to the CAS login endpoint from the outside, or you have someone > send you a bad request to a page/endpoint that causes the blowup. > Coincidentally, a project I am working on today reported a similar issue > and it turned out to be a saml request sent to the CAS logout endpoint > (which was wrong to begin with it) You may also want to look at your > access-log and see where the requests are coming from. > > --Misagh > > ------------------------------ > > *From: *"Adam Causey" <[email protected]> > *To: *[email protected] > *Sent: *Friday, January 5, 2018 6:40:42 PM > *Subject: *Re: [cas-user] Re: Webflow error in CAS 5.1.4 > > Misagh, > > The login page loads fine for users. Is there something on the page that I > should check? > > Thanks! > > On Fri, Jan 5, 2018, 11:45 AM Misagh Moayyed <[email protected]> wrote: > >> You have a bad login page. >> >> Also you're to upgrade to the latest 5.1.x release line. Any patch >> release that goes out unofficially invalidates its predecessors. >> >> --Misagh >> >> ------------------------------ >> >> *From: *"Adam Causey" <[email protected]> >> *To: *[email protected] >> *Sent: *Friday, January 5, 2018 8:16:21 AM >> *Subject: *[cas-user] Re: Webflow error in CAS 5.1.4 >> >> We have kept version 5.1.4 in production, however we still see the errors >> in the logs. We haven't received any user complaints, and there is no >> username coming back with the error message. Does anyone know how I might >> be able to trace back what page is creating the error? >> >> >> On Thu, Jan 4, 2018 at 7:21 AM, Adam Causey <[email protected]> wrote: >> >>> I recently rolled out CAS 5.1.4 to our production environment, however >>> we started to see these errors in our logs. We performed a great deal of >>> testing but never encountered this error. Any ideas of what could be >>> causing this? >>> >>> >>> 2018-01-04 07:18:13,905 [ajp-nio-8011-exec-1] ERROR >>> org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/cas].[dispatcherServlet] >>> - Servlet.service() for servlet [dispatcherServlet] in context with path >>> [/cas] threw exception [Request processing failed; nested exception is >>> org.springframework.webflow.execution.repository. >>> BadlyFormattedFlowExecutionKeyException: Badly formatted flow execution >>> key 'e2s1', the expected format is '<uuid>_<base64-encoded-flow-state>'] >>> with root cause >>> >>> org.springframework.webflow.execution.repository. >>> BadlyFormattedFlowExecutionKeyException: Badly formatted flow execution >>> key 'e2s1', the expected format is '<uuid>_<base64-encoded-flow-state>' >>> >>> at org.apereo.spring.webflow.plugin.ClientFlowExecutionKey. >>> parse(ClientFlowExecutionKey.java:102) ~[spring-webflow-client-repo- >>> 1.0.3.jar!/:1.0.3] >>> >>> at org.apereo.spring.webflow.plugin.ClientFlowExecutionRepository. >>> parseFlowExecutionKey(ClientFlowExecutionRepository.java:74) >>> ~[spring-webflow-client-repo-1.0.3.jar!/:1.0.3] >>> >>> at org.springframework.webflow.executor.FlowExecutorImpl. >>> resumeExecution(FlowExecutorImpl.java:164) ~[spring-webflow-2.4.4. >>> RELEASE.jar!/:2.4.4.RELEASE] >>> >>> at sun.reflect.GeneratedMethodAccessor293.invoke(Unknown Source) ~[?:?] >>> >>> at sun.reflect.DelegatingMethodAccessorImpl.invoke( >>> DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_141] >>> >>> at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_141] >>> >>> at org.springframework.aop.support.AopUtils. >>> invokeJoinpointUsingReflection(AopUtils.java:333) >>> ~[spring-aop-4.3.11.RELEASE.jar!/:4.3.11.RELEASE] >>> >>> at org.springframework.aop.framework.ReflectiveMethodInvocation. >>> invokeJoinpoint(ReflectiveMethodInvocation.java:190) >>> ~[spring-aop-4.3.11.RELEASE.jar!/:4.3.11.RELEASE] >>> >>> at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed( >>> ReflectiveMethodInvocation.java:157) ~[spring-aop-4.3.11.RELEASE. >>> jar!/:4.3.11.RELEASE] >>> >>> at org.springframework.aop.support.DelegatingIntroductionIntercep >>> tor.doProceed(DelegatingIntroductionInterceptor.java:133) >>> ~[spring-aop-4.3.11.RELEASE.jar!/:4.3.11.RELEASE] >>> >>> at org.springframework.aop.support.DelegatingIntroductionIntercep >>> tor.invoke(DelegatingIntroductionInterceptor.java:121) >>> ~[spring-aop-4.3.11.RELEASE.jar!/:4.3.11.RELEASE] >>> >>> at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed( >>> ReflectiveMethodInvocation.java:179) ~[spring-aop-4.3.11.RELEASE. >>> jar!/:4.3.11.RELEASE] >>> >>> at org.springframework.aop.framework.JdkDynamicAopProxy. >>> invoke(JdkDynamicAopProxy.java:213) ~[spring-aop-4.3.11.RELEASE. >>> jar!/:4.3.11.RELEASE] >>> >>> at com.sun.proxy.$Proxy158.resumeExecution(Unknown Source) ~[?:?] >>> >>> at >>> org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:253) >>> ~[spring-webflow-2.4.4.RELEASE.jar!/:2.4.4.RELEASE] >>> >>> at org.springframework.web.servlet.DispatcherServlet. >>> doDispatch(DispatcherServlet.java:967) ~[spring-webmvc-4.3.11. >>> RELEASE.jar!/:4.3.11.RELEASE] >>> >>> at org.springframework.web.servlet.DispatcherServlet. >>> doService(DispatcherServlet.java:901) ~[spring-webmvc-4.3.11. >>> RELEASE.jar!/:4.3.11.RELEASE] >>> >>> at >>> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970) >>> ~[spring-webmvc-4.3.11.RELEASE.jar!/:4.3.11.RELEASE] >>> >>> at org.springframework.web.servlet.FrameworkServlet. >>> doPost(FrameworkServlet.java:872) ~[spring-webmvc-4.3.11. >>> RELEASE.jar!/:4.3.11.RELEASE] >>> >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) >>> ~[javax.servlet-api-3.1.0.jar!/:3.1.0] >>> >>> at org.springframework.web.servlet.FrameworkServlet. >>> service(FrameworkServlet.java:846) ~[spring-webmvc-4.3.11. >>> RELEASE.jar!/:4.3.11.RELEASE] >>> >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >>> ~[javax.servlet-api-3.1.0.jar!/:3.1.0] >>> >>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( >>> ApplicationFilterChain.java:231) ~[tomcat-embed-core-8.5.20. >>> jar!/:8.5.20] >>> >>> at org.apache.catalina.core.ApplicationFilterChain.doFilter( >>> ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.20. >>> jar!/:8.5.20] >>> >>> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) >>> ~[tomcat-embed-websocket-8.5.20.jar!/:8.5.20] >>> >>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( >>> ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.20. >>> jar!/:8.5.20] >>> >>> at org.apache.catalina.core.ApplicationFilterChain.doFilter( >>> ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.20. >>> jar!/:8.5.20] >>> >>> at org.apereo.cas.web.support.AuthenticationCredentialsLocal >>> BinderClearingFilter.doFilter(AuthenticationCredentialsLocalBinderClearingFilter.java:28) >>> ~[cas-server-core-web-5.1.4.jar!/:5.1.4] >>> >>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( >>> ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.20. >>> jar!/:8.5.20] >>> >>> at org.apache.catalina.core.ApplicationFilterChain.doFilter( >>> ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.20. >>> jar!/:8.5.20] >>> >>> at org.apereo.cas.security.RequestParameterPolicyEnforcem >>> entFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:261) >>> ~[cas-server-security-filter-2.0.6.jar!/:2.0.6] >>> >>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( >>> ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.20. >>> jar!/:8.5.20] >>> >>> at org.apache.catalina.core.ApplicationFilterChain.doFilter( >>> ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.20. >>> jar!/:8.5.20] >>> >>> at org.apereo.cas.security.ResponseHeadersEnforcementFilter.doFilter( >>> ResponseHeadersEnforcementFilter.java:238) ~[cas-server-security-filter- >>> 2.0.6.jar!/:2.0.6] >>> >>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( >>> ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.20. >>> jar!/:8.5.20] >>> >>> at org.apache.catalina.core.ApplicationFilterChain.doFilter( >>> ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.20. >>> jar!/:8.5.20] >>> >>> at org.springframework.boot.actuate.trace.WebRequestTraceFilter. >>> doFilterInternal(WebRequestTraceFilter.java:110) >>> ~[spring-boot-actuator-1.5.3.RELEASE.jar!/:1.5.3.RELEASE] >>> >>> at org.springframework.web.filter.OncePerRequestFilter. >>> doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.11.RELEASE. >>> jar!/:4.3.11.RELEASE] >>> >>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( >>> ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.20. >>> jar!/:8.5.20] >>> >>> at org.apache.catalina.core.ApplicationFilterChain.doFilter( >>> ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.20. >>> jar!/:8.5.20] >>> >>> at >>> org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) >>> ~[spring-web-4.3.11.RELEASE.jar!/:4.3.11.RELEASE] >>> >>> at org.springframework.web.filter.OncePerRequestFilter. >>> doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.11.RELEASE. >>> jar!/:4.3.11.RELEASE] >>> >>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( >>> ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.20. >>> jar!/:8.5.20] >>> >>> at org.apache.catalina.core.ApplicationFilterChain.doFilter( >>> ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.20. >>> jar!/:8.5.20] >>> >>> at org.springframework.web.filter.HttpPutFormContentFilter. >>> doFilterInternal(HttpPutFormContentFilter.java:108) >>> ~[spring-web-4.3.11.RELEASE.jar!/:4.3.11.RELEASE] >>> >>> at org.springframework.web.filter.OncePerRequestFilter. >>> doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.11.RELEASE. >>> jar!/:4.3.11.RELEASE] >>> >>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( >>> ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.20. >>> jar!/:8.5.20] >>> >>> at org.apache.catalina.core.ApplicationFilterChain.doFilter( >>> ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.20. >>> jar!/:8.5.20] >>> >>> at org.springframework.web.filter.HiddenHttpMethodFilter. >>> doFilterInternal(HiddenHttpMethodFilter.java:81) >>> ~[spring-web-4.3.11.RELEASE.jar!/:4.3.11.RELEASE] >>> >>> at org.springframework.web.filter.OncePerRequestFilter. >>> doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.11.RELEASE. >>> jar!/:4.3.11.RELEASE] >>> >>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( >>> ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.20. >>> jar!/:8.5.20] >>> >>> at org.apache.catalina.core.ApplicationFilterChain.doFilter( >>> ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.20. >>> jar!/:8.5.20] >>> >>> at org.apereo.cas.logging.web.ThreadContextMDCServletFilter.doFilter( >>> ThreadContextMDCServletFilter.java:90) ~[cas-server-core-logging-5.1. >>> 4.jar!/:5.1.4] >>> >>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( >>> ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.20. >>> jar!/:8.5.20] >>> >>> at org.apache.catalina.core.ApplicationFilterChain.doFilter( >>> ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.20. >>> jar!/:8.5.20] >>> >>> at org.springframework.boot.actuate.autoconfigure.MetricsFilter. >>> doFilterInternal(MetricsFilter.java:106) ~[spring-boot-actuator-1.5.3. >>> RELEASE.jar!/:1.5.3.RELEASE] >>> >>> at org.springframework.web.filter.OncePerRequestFilter. >>> doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.11.RELEASE. >>> jar!/:4.3.11.RELEASE] >>> >>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( >>> ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.20. >>> jar!/:8.5.20] >>> >>> at org.apache.catalina.core.ApplicationFilterChain.doFilter( >>> ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.20. >>> jar!/:8.5.20] >>> >>> at org.springframework.web.filter.CharacterEncodingFilter. >>> doFilterInternal(CharacterEncodingFilter.java:197) >>> ~[spring-web-4.3.11.RELEASE.jar!/:4.3.11.RELEASE] >>> >>> at org.springframework.web.filter.OncePerRequestFilter. >>> doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.11.RELEASE. >>> jar!/:4.3.11.RELEASE] >>> >>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( >>> ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.20. >>> jar!/:8.5.20] >>> >>> at org.apache.catalina.core.ApplicationFilterChain.doFilter( >>> ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.20. >>> jar!/:8.5.20] >>> >>> at org.apereo.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter( >>> ClientInfoThreadLocalFilter.java:64) ~[inspektr-common-1.7.GA.jar!/: >>> 1.7.GA] >>> >>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( >>> ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.20. >>> jar!/:8.5.20] >>> >>> at org.apache.catalina.core.ApplicationFilterChain.doFilter( >>> ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.20. >>> jar!/:8.5.20] >>> >>> at >>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) >>> ~[tomcat-embed-core-8.5.20.jar!/:8.5.20] >>> >>> at >>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) >>> ~[tomcat-embed-core-8.5.20.jar!/:8.5.20] >>> >>> at >>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) >>> ~[tomcat-embed-core-8.5.20.jar!/:8.5.20] >>> >>> at >>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) >>> ~[tomcat-embed-core-8.5.20.jar!/:8.5.20] >>> >>> at >>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80) >>> ~[tomcat-embed-core-8.5.20.jar!/:8.5.20] >>> >>> at >>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) >>> ~[tomcat-embed-core-8.5.20.jar!/:8.5.20] >>> >>> at org.apache.catalina.valves.AbstractAccessLogValve.invoke( >>> AbstractAccessLogValve.java:650) ~[tomcat-embed-core-8.5.20. >>> jar!/:8.5.20] >>> >>> at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:677) >>> ~[tomcat-embed-core-8.5.20.jar!/:8.5.20] >>> >>> at >>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) >>> ~[tomcat-embed-core-8.5.20.jar!/:8.5.20] >>> >>> at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:486) >>> ~[tomcat-embed-core-8.5.20.jar!/:8.5.20] >>> >>> at org.apache.coyote.AbstractProcessorLight.process( >>> AbstractProcessorLight.java:66) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20] >>> >>> at >>> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) >>> ~[tomcat-embed-core-8.5.20.jar!/:8.5.20] >>> >>> at >>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1457) >>> ~[tomcat-embed-core-8.5.20.jar!/:8.5.20] >>> >>> at >>> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) >>> ~[tomcat-embed-core-8.5.20.jar!/:8.5.20] >>> >>> at >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) >>> [?:1.8.0_141] >>> >>> at >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) >>> [?:1.8.0_141] >>> >>> at >>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >>> ~[tomcat-embed-core-8.5.20.jar!/:8.5.20] >>> >>> at java.lang.Thread.run(Thread.java:748) [?:1.8.0_141] >>> >>> >>> Thanks! >>> >>> Adam >>> >>> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit https://groups.google.com/a/ >> apereo.org/d/msgid/cas-user/CAN6MV5NW8Zf%2Bv% >> 2BXysmSGkZpQX43SiWPO1hqotdkaf8zuEE3Fow%40mail.gmail.com >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAN6MV5NW8Zf%2Bv%2BXysmSGkZpQX43SiWPO1hqotdkaf8zuEE3Fow%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit https://groups.google.com/a/ >> apereo.org/d/msgid/cas-user/37316170.11653158. >> 1515170753136.JavaMail.zimbra%40unicon.net >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/37316170.11653158.1515170753136.JavaMail.zimbra%40unicon.net?utm_medium=email&utm_source=footer> >> . >> > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/CAN6MV5OiCJDNsCdzn5PTuSgHnNX_ > azWzh_4iN1TdMPTkHbLNjA%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAN6MV5OiCJDNsCdzn5PTuSgHnNX_azWzh_4iN1TdMPTkHbLNjA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/320188926.11848694. > 1515440355754.JavaMail.zimbra%40unicon.net > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/320188926.11848694.1515440355754.JavaMail.zimbra%40unicon.net?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAN6MV5PYbGw%3DpJ2Bgty72AO7Pp4q61Eo4ZvCUHDP1LPbziT1JQ%40mail.gmail.com.
