Encryption is enabled by default, causing problems if no secret is set
----------------------------------------------------------------------
Key: MYFACES-1786
URL: https://issues.apache.org/jira/browse/MYFACES-1786
Project: MyFaces Core
Issue Type: Bug
Components: General
Affects Versions: 1.2.0, 1.2.1-SNAPSHOT
Environment: Any
Reporter: Jon Harley
Priority: Minor
According to the documentation of org.apache.myfaces.util.StateUtils "To enable
encryption, a secret must be provided. StateUtils looks first for the
org.apache.myfaces.secret init param, then system properties. If a secret
cannot be located, encryption is not used."
This is the correct behaviour but in fact the isSecure() method of that class
includes:
return ! "false".equals(ctx.getInitParameter(USE_ENCRYPTION));
This enables encryption in ALL cases except where the init parameter is PRESENT
and EQUAL to "false". For example if it is absent, encryption is enabled. It
looks as though a secret is then generated.
This causes a problem because if the web container is restarted, a new secret
is generated. Existing users who then submit any view encoded with the old
secret hit an exception in the restore view phase which looks like this, at
least in my environment:
javax.faces.FacesException: javax.crypto.BadPaddingException: Given final block
not properly padded
at
org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:370)
at
org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:408)
at
org.apache.myfaces.shared_impl.util.StateUtils.decrypt(StateUtils.java:288)
at
org.apache.myfaces.shared_impl.util.StateUtils.reconstruct(StateUtils.java:237)
at
org.apache.myfaces.renderkit.html.HtmlResponseStateManager.getTreeStructureToRestore(HtmlResponseStateManager.java:129)
at
javax.faces.render.ResponseStateManager.getState(ResponseStateManager.java:81)
at
org.apache.myfaces.application.jsp.JspStateManagerImpl.restoreView(JspStateManagerImpl.java:283)
at
org.ajax4jsf.framework.ajax.AjaxStateManager.restoreView(AjaxStateManager.java:83)
at
org.apache.myfaces.application.jsp.JspViewHandlerImpl.restoreView(JspViewHandlerImpl.java:354)
at
com.sun.facelets.FaceletViewHandler.restoreView(FaceletViewHandler.java:317)
at
org.ajax4jsf.framework.ViewHandlerWrapper.restoreView(ViewHandlerWrapper.java:116)
at
org.ajax4jsf.framework.ajax.AjaxViewHandler.restoreView(AjaxViewHandler.java:147)
at
org.jenia.faces.template.handler.ViewHandler.restoreView(ViewHandler.java:263)
at
com.sun.facelets.FaceletViewHandler.restoreView(FaceletViewHandler.java:317)
at
org.ajax4jsf.framework.ViewHandlerWrapper.restoreView(ViewHandlerWrapper.java:116)
at
org.ajax4jsf.framework.ajax.AjaxViewHandler.restoreView(AjaxViewHandler.java:147)
at
org.apache.myfaces.lifecycle.RestoreViewExecutor.execute(RestoreViewExecutor.java:85)
at
org.apache.myfaces.lifecycle.LifecycleImpl.executePhase(LifecycleImpl.java:95)
at
org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:70)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:137)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.ajax4jsf.framework.ajax.xmlfilter.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:96)
at
org.ajax4jsf.framework.ajax.xmlfilter.BaseFilter.doFilter(BaseFilter.java:220)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.myfaces.webapp.filter.ExtensionsFilter.doFilter(ExtensionsFilter.java:147)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
net.parkplatz.rr.webframework.Doorkeeper.doFilter(Doorkeeper.java:185)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.springframework.orm.jdo.support.OpenPersistenceManagerInViewFilter.doFilterInternal(OpenPersistenceManagerInViewFilter.java:106)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:77)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.netbeans.modules.web.monitor.server.MonitorFilter.doFilter(MonitorFilter.java:390)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:263)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:584)
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
Caused by: javax.crypto.BadPaddingException: Given final block not properly
padded
at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
at com.sun.crypto.provider.DESCipher.engineDoFinal(DashoA13*..)
at javax.crypto.Cipher.doFinal(DashoA13*..)
at
org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:366)
... 48 more
Caused by: javax.crypto.BadPaddingException: Given final block not properly
padded
at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
at com.sun.crypto.provider.DESCipher.engineDoFinal(DashoA13*..)
at javax.crypto.Cipher.doFinal(DashoA13*..)
at
org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:366)
at
org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:408)
at
org.apache.myfaces.shared_impl.util.StateUtils.decrypt(StateUtils.java:288)
at
org.apache.myfaces.shared_impl.util.StateUtils.reconstruct(StateUtils.java:237)
at
org.apache.myfaces.renderkit.html.HtmlResponseStateManager.getTreeStructureToRestore(HtmlResponseStateManager.java:129)
at
javax.faces.render.ResponseStateManager.getState(ResponseStateManager.java:81)
at
org.apache.myfaces.application.jsp.JspStateManagerImpl.restoreView(JspStateManagerImpl.java:283)
at
org.ajax4jsf.framework.ajax.AjaxStateManager.restoreView(AjaxStateManager.java:83)
at
org.apache.myfaces.application.jsp.JspViewHandlerImpl.restoreView(JspViewHandlerImpl.java:354)
at
com.sun.facelets.FaceletViewHandler.restoreView(FaceletViewHandler.java:317)
at
org.ajax4jsf.framework.ViewHandlerWrapper.restoreView(ViewHandlerWrapper.java:116)
at
org.ajax4jsf.framework.ajax.AjaxViewHandler.restoreView(AjaxViewHandler.java:147)
at
org.jenia.faces.template.handler.ViewHandler.restoreView(ViewHandler.java:263)
at
com.sun.facelets.FaceletViewHandler.restoreView(FaceletViewHandler.java:317)
at
org.ajax4jsf.framework.ViewHandlerWrapper.restoreView(ViewHandlerWrapper.java:116)
at
org.ajax4jsf.framework.ajax.AjaxViewHandler.restoreView(AjaxViewHandler.java:147)
at
org.apache.myfaces.lifecycle.RestoreViewExecutor.execute(RestoreViewExecutor.java:85)
at
org.apache.myfaces.lifecycle.LifecycleImpl.executePhase(LifecycleImpl.java:95)
at
org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:70)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:137)
This was reported on the MyFaces users list using MyFaces 1.2.0 and is still
present in 1.2.1-SNAPSHOT
The fix is to correct the bug in the line from
org.apache.myfaces.util.StateUtils.isSecure() quoted above, so that it reads:
return "true".equals(ctx.getInitParameter(USE_ENCRYPTION));
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
