[
https://issues.apache.org/jira/browse/MYFACES-1786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12663778#action_12663778
]
Simon Kitching commented on MYFACES-1786:
-----------------------------------------
I don't believe this is a bug at all. IMO, state *should* be encrypted by
default; no system should default to being insecure.
And it also seems reasonable that when the secret is auto-generated then it
should be regenerated on restart. In fact, there is no obvious alternative; I
can't think of anywhere to store app-scope data over a webserver restart.
The real solution here seems for people to just define a constant secret for
their webapp, ie define init-parameter
org.apache.myfaces.SECRET
in the web.xml file.
Possibly a WARN message could be output in the startup logs to tell
administrators to set that property in web.xml.
> Encryption is enabled by default, causing problems if no secret is set
> ----------------------------------------------------------------------
>
> Key: MYFACES-1786
> URL: https://issues.apache.org/jira/browse/MYFACES-1786
> Project: MyFaces Core
> Issue Type: Bug
> Components: General
> Affects Versions: 1.2.0, 1.2.1-SNAPSHOT
> Environment: Any
> Reporter: Jon Harley
> Priority: Minor
>
> According to the documentation of org.apache.myfaces.util.StateUtils "To
> enable encryption, a secret must be provided. StateUtils looks first for the
> org.apache.myfaces.secret init param, then system properties. If a secret
> cannot be located, encryption is not used."
> This is the correct behaviour but in fact the isSecure() method of that class
> includes:
> return ! "false".equals(ctx.getInitParameter(USE_ENCRYPTION));
> This enables encryption in ALL cases except where the init parameter is
> PRESENT and EQUAL to "false". For example if it is absent, encryption is
> enabled. It looks as though a secret is then generated.
> This causes a problem because if the web container is restarted, a new secret
> is generated. Existing users who then submit any view encoded with the old
> secret hit an exception in the restore view phase which looks like this, at
> least in my environment:
> javax.faces.FacesException: javax.crypto.BadPaddingException: Given final
> block not properly padded
> at
> org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:370)
> at
> org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:408)
> at
> org.apache.myfaces.shared_impl.util.StateUtils.decrypt(StateUtils.java:288)
> at
> org.apache.myfaces.shared_impl.util.StateUtils.reconstruct(StateUtils.java:237)
> at
> org.apache.myfaces.renderkit.html.HtmlResponseStateManager.getTreeStructureToRestore(HtmlResponseStateManager.java:129)
> at
> javax.faces.render.ResponseStateManager.getState(ResponseStateManager.java:81)
> at
> org.apache.myfaces.application.jsp.JspStateManagerImpl.restoreView(JspStateManagerImpl.java:283)
> at
> org.ajax4jsf.framework.ajax.AjaxStateManager.restoreView(AjaxStateManager.java:83)
> at
> org.apache.myfaces.application.jsp.JspViewHandlerImpl.restoreView(JspViewHandlerImpl.java:354)
> at
> com.sun.facelets.FaceletViewHandler.restoreView(FaceletViewHandler.java:317)
> at
> org.ajax4jsf.framework.ViewHandlerWrapper.restoreView(ViewHandlerWrapper.java:116)
> at
> org.ajax4jsf.framework.ajax.AjaxViewHandler.restoreView(AjaxViewHandler.java:147)
> at
> org.jenia.faces.template.handler.ViewHandler.restoreView(ViewHandler.java:263)
> at
> com.sun.facelets.FaceletViewHandler.restoreView(FaceletViewHandler.java:317)
> at
> org.ajax4jsf.framework.ViewHandlerWrapper.restoreView(ViewHandlerWrapper.java:116)
> at
> org.ajax4jsf.framework.ajax.AjaxViewHandler.restoreView(AjaxViewHandler.java:147)
> at
> org.apache.myfaces.lifecycle.RestoreViewExecutor.execute(RestoreViewExecutor.java:85)
> at
> org.apache.myfaces.lifecycle.LifecycleImpl.executePhase(LifecycleImpl.java:95)
> at
> org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:70)
> at javax.faces.webapp.FacesServlet.service(FacesServlet.java:137)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at
> org.ajax4jsf.framework.ajax.xmlfilter.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:96)
> at
> org.ajax4jsf.framework.ajax.xmlfilter.BaseFilter.doFilter(BaseFilter.java:220)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at
> org.apache.myfaces.webapp.filter.ExtensionsFilter.doFilter(ExtensionsFilter.java:147)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at
> net.parkplatz.rr.webframework.Doorkeeper.doFilter(Doorkeeper.java:185)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at
> org.springframework.orm.jdo.support.OpenPersistenceManagerInViewFilter.doFilterInternal(OpenPersistenceManagerInViewFilter.java:106)
> at
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:77)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at
> org.netbeans.modules.web.monitor.server.MonitorFilter.doFilter(MonitorFilter.java:390)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:263)
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
> at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:584)
> at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
> at java.lang.Thread.run(Thread.java:619)
> Caused by: javax.crypto.BadPaddingException: Given final block not properly
> padded
> at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
> at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
> at com.sun.crypto.provider.DESCipher.engineDoFinal(DashoA13*..)
> at javax.crypto.Cipher.doFinal(DashoA13*..)
> at
> org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:366)
> ... 48 more
> Caused by: javax.crypto.BadPaddingException: Given final block not properly
> padded
> at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
> at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
> at com.sun.crypto.provider.DESCipher.engineDoFinal(DashoA13*..)
> at javax.crypto.Cipher.doFinal(DashoA13*..)
> at
> org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:366)
> at
> org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:408)
> at
> org.apache.myfaces.shared_impl.util.StateUtils.decrypt(StateUtils.java:288)
> at
> org.apache.myfaces.shared_impl.util.StateUtils.reconstruct(StateUtils.java:237)
> at
> org.apache.myfaces.renderkit.html.HtmlResponseStateManager.getTreeStructureToRestore(HtmlResponseStateManager.java:129)
> at
> javax.faces.render.ResponseStateManager.getState(ResponseStateManager.java:81)
> at
> org.apache.myfaces.application.jsp.JspStateManagerImpl.restoreView(JspStateManagerImpl.java:283)
> at
> org.ajax4jsf.framework.ajax.AjaxStateManager.restoreView(AjaxStateManager.java:83)
> at
> org.apache.myfaces.application.jsp.JspViewHandlerImpl.restoreView(JspViewHandlerImpl.java:354)
> at
> com.sun.facelets.FaceletViewHandler.restoreView(FaceletViewHandler.java:317)
> at
> org.ajax4jsf.framework.ViewHandlerWrapper.restoreView(ViewHandlerWrapper.java:116)
> at
> org.ajax4jsf.framework.ajax.AjaxViewHandler.restoreView(AjaxViewHandler.java:147)
> at
> org.jenia.faces.template.handler.ViewHandler.restoreView(ViewHandler.java:263)
> at
> com.sun.facelets.FaceletViewHandler.restoreView(FaceletViewHandler.java:317)
> at
> org.ajax4jsf.framework.ViewHandlerWrapper.restoreView(ViewHandlerWrapper.java:116)
> at
> org.ajax4jsf.framework.ajax.AjaxViewHandler.restoreView(AjaxViewHandler.java:147)
> at
> org.apache.myfaces.lifecycle.RestoreViewExecutor.execute(RestoreViewExecutor.java:85)
> at
> org.apache.myfaces.lifecycle.LifecycleImpl.executePhase(LifecycleImpl.java:95)
> at
> org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:70)
> at javax.faces.webapp.FacesServlet.service(FacesServlet.java:137)
> This was reported on the MyFaces users list using MyFaces 1.2.0 and is still
> present in 1.2.1-SNAPSHOT
> The fix is to correct the bug in the line from
> org.apache.myfaces.util.StateUtils.isSecure() quoted above, so that it reads:
> return "true".equals(ctx.getInitParameter(USE_ENCRYPTION));
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
