Robert Munteanu created SLING-9433:
--------------------------------------
Summary: Do not log stack trace in case of cookies with no match
in the token store
Key: SLING-9433
URL: https://issues.apache.org/jira/browse/SLING-9433
Project: Sling
Issue Type: Improvement
Components: Authentication
Reporter: Robert Munteanu
Assignee: Robert Munteanu
Fix For: Form Based Authentication 1.0.20
When a cookie does not have a match in the token store, a stack trace is logged
at error level
{noformat}08.05.2020 14:21:42.991 *ERROR* [qtp804599815-226]
org.apache.sling.auth.form.impl.TokenStore No installed provider supports this
key: (null)
java.security.InvalidKeyException: No installed provider supports this key:
(null)
at java.base/javax.crypto.Mac.chooseProvider(Mac.java:392)
at java.base/javax.crypto.Mac.init(Mac.java:435)
at
org.apache.sling.auth.form.impl.TokenStore.encode(TokenStore.java:174)
[org.apache.sling.auth.form:1.0.19.SNAPSHOT]
at
org.apache.sling.auth.form.impl.TokenStore.isValid(TokenStore.java:229)
[org.apache.sling.auth.form:1.0.19.SNAPSHOT]
at
org.apache.sling.auth.form.impl.FormAuthenticationHandler.extractCredentials(FormAuthenticationHandler.java:195)
[org.apache.sling.auth.form:1.0.19.SNAPSHOT]{noformat}
(snip)
This is easily preventable, as we should not be passing a null {{SecretKey}}
further. Instead, we should log an ERROR and consider the cookie as invalid.
Steps to reproduce:
1. Start up Sling Starter
2. Log in
3. Stop Sling Starter
4. Remove sling directory
5. Start Sling Starter
6. Visit front page
Alternatively, save a Sling login cookie ( sling.formauth=... ) and send it via
a curl call to a fresh instance of Sling.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
