I'm struggling with the same issue. I've just debugged it and saw
that JwtTicketCipherExecutor is instantiated via default constructor which
just ignores the cas.properties. Is it normal behaviour? The info message
is really misleading.
Am Dienstag, 4. Juni 2019 19:09:16 UTC+2 schrieb Alessandro Moscatelli:
>
> Both with 5.3.10 and 6.0.4 I am observing strange warnings in my log:
>
> 2019-06-04 16:41:13,282 WARN
> [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Encryption is not
> enabled for [Token/JWT Tickets]. The cipher
> [RegisteredServiceTokenTicketCipherExecutor] wonly attempt to produce
> signed objects>
> 2019-06-04 16:41:13,283 WARN
> [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Signing is not
> enabled for [Token/JWT Tickets]. The cipher
> [RegisteredServiceTokenTicketCipherExecutor] willempt to produce plain
> objects>
>
> I don't get what's complaining about.
> I defined these global variables in cas.properties :
>
> cas.authn.token.crypto.enabled=true
> cas.authn.token.crypto.signingEnabled=true
> cas.authn.token.crypto.encryptionEnabled=true
> cas.authn.token.crypto.signing.key=${OPTOPLUS_CAS_TOKEN_SIGNING_KEY}
> cas.authn.token.crypto.signing.keySize=512
> cas.authn.token.crypto.encryption.key=${OPTOPLUS_CAS_TOKEN_ENCRYPTION_KEY}
> cas.authn.token.crypto.encryption.keySize=256
> cas.authn.token.crypto.alg=A128CBC-HS256
>
> Also, I believe (and I DO REALLY HOPE SO) my JWT Tickets are indeed signed
> and ciphered since my backend use jose4j to verify signature and
> deciphering :
>
> JsonWebSignature
> jws = new JsonWebSignature();
> jws.setCompactSerialization(bearer);
> jws.setKey(signingKey);
> if (jws.verifySignature()) {
> JsonWebEncryption jwe = new
> JsonWebEncryption();
> jwe.setCompactSerialization(new
> String(Base64.decodeBase64(jws.getEncodedPayload()),
> StandardCharsets.UTF_8));
> jwe.setKey(encryptionKey);
> JwtClaims claims =
> JwtClaims.parse(jwe.getPlaintextString());
> NumericDate issuedAt =
> claims.getIssuedAt();
> issuedAt.addSeconds(60);
> if (Objects.nonNull(issuedAt) &&
> issuedAt.isAfter(NumericDate.now())) {
> String subject = claims.getSubject();
> if (StringUtils.isNotBlank(subject)) {
> CredentialValidationResult
> validate = this.identityStore.validate(new CallerOnlyCredential(subject));
> if
> (Status.VALID.equals(validate.getStatus())) {
> return
> httpMessageContext.notifyContainerAboutLogin(validate);
> }
> }
> }
> }
>
> According to:
>
> https://github.com/apereo/cas/blob/master/core/cas-server-core-util-api/src/main/java/org/apereo/cas/util/cipher/BaseStringCipherExecutor.java
>
> this.encryptionEnabled = encryptionEnabled || StringUtils.
> isNotBlank(secretKeyEncryption);
> this.signingEnabled = signingEnabled || StringUtils.
> isNotBlank(secretKeySigning);
> this.signingKeySize = signingKeyLength <= 0 ? CipherExecutor.
> DEFAULT_STRINGABLE_SIGNING_KEY_SIZE : signingKeyLength;
> this.encryptionKeySize = encryptionKeyLength <= 0 ? CipherExecutor
> .DEFAULT_STRINGABLE_ENCRYPTION_KEY_SIZE : encryptionKeyLength;
>
> if (this.encryptionEnabled) {
> configureEncryptionParameters(secretKeyEncryption,
> contentEncryptionAlgorithmIdentifier);
> } else {
> LOGGER.info("Encryption is not enabled for [{}]. The cipher
> [{}] will only attempt to produce signed objects",
> getName(), getClass().getSimpleName());
> }
>
> I can't understand what's happening. I believe encryptionEnabled is
> cas.authn.token.crypto.encryptionEnabled
> and secretKeyEncryption should be cas.authn.token.crypto.encryption.key.
>
> Am I missing something ?
> Thank you in advance
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e9c5e26a-2a0a-4332-ac76-dbfc7bbf6604%40apereo.org.
