Again I don't see the exception caught at
try {
value = getCrypt().decryptUrlSafe(value);
} catch (RuntimeException e) {
to be logged in your version of the class.
As I said failing at decryption is something to be expected. I think the
logged message should be DEBUG, not INFO.
There are changes in Wicket related to better security that will lead to
forced logout after upgrading to 6.19.0:
[WICKET-5775] - Replace the session upon successful signin for better
support for Session Fixation
[WICKET-5756] - Allow to use custom ciphers when using SunJceCrypt class
Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov
On Wed, Jan 28, 2015 at 9:57 AM, Maxim Solodovnik <[email protected]>
wrote:
> Hello Martin!
>
> Actually I'm using modified AuthStrategy (to be able to handle additional
> parameter) [1]
> It was copied from DefaultAuthenticationStrategy
>
> I'll check the code ant will try to find what was changed (maybe my code is
> bad)
>
> [1]
>
> https://svn.apache.org/repos/asf/openmeetings/branches/3.0.x/src/web/java/org/apache/openmeetings/web/app/OmAuthenticationStrategy.java
>
> On Wed, Jan 28, 2015 at 1:49 PM, Martin Grigorov <[email protected]>
> wrote:
>
> > Hi Maxim,
> >
> > I wasn't able to reproduce the problem.
> > Additionally I think it is a normal use
> > case.
> >
> org.apache.wicket.authentication.strategy.DefaultAuthenticationStrategy#load()
> > [1] catches RuntimeException, logs an INFO message explaining why it may
> > happen and removes the cookie. I am not sure why you see this exception
> > stack trace. It is not logged by Wicket, or at least I don't see where.
> >
> > 1.
> >
> >
> https://github.com/apache/wicket/blob/wicket-6.x/wicket-core/src/main/java/org/apache/wicket/authentication/strategy/DefaultAuthenticationStrategy.java#L101
> >
> > Martin Grigorov
> > Wicket Training and Consulting
> > https://twitter.com/mtgrigorov
> >
> > On Tue, Jan 27, 2015 at 6:52 PM, Maxim Solodovnik <[email protected]>
> > wrote:
> >
> > > Hello Martijn,
> > >
> > > It seems like "Remember log in" feature is not working anymore.
> > >
> > > Steps:
> > > 1) Save login/password in cookies
> > > 2) delete JSESSIONID cookie
> > > 3) reload page
> > > Result: no login prompt
> > >
> > > 1) stop tomcat
> > > 2) start tomcat
> > > 3) reload page
> > > Result: exception [1] in the logs + login prompt
> > >
> > > it was working in 6.18.0 .... did I miss to update some dependencies or
> > > something broken?
> > >
> > >
> > > [1] java.lang.RuntimeException: Unable to decrypt the text '�� �!��@ ��
> > > {�� ��y4 ��x�MJ� ������}]'
> > > at
> > >
> > >
> >
> org.apache.wicket.util.crypt.AbstractCrypt.decryptByteArray(AbstractCrypt.java:154)
> > > ~[wicket-util-6.19.0.jar:6.19.0]
> > > at
> > >
> > >
> >
> org.apache.wicket.util.crypt.AbstractCrypt.decryptUrlSafe(AbstractCrypt.java:66)
> > > ~[wicket-util-6.19.0.jar:6.19.0]
> > > at
> > >
> > >
> >
> org.apache.openmeetings.web.app.OmAuthenticationStrategy.load(OmAuthenticationStrategy.java:50)
> > > [openmeetings-web-3.0.4-SNAPSHOT.jar:na]
> > > at
> > >
> >
> org.apache.openmeetings.web.app.WebSession.isSignedIn(WebSession.java:174)
> > > [openmeetings-web-3.0.4-SNAPSHOT.jar:na]
> > > at
> > >
> > >
> >
> org.apache.openmeetings.web.pages.auth.SignInDialog$SignInForm.<init>(SignInDialog.java:219)
> > > [openmeetings-web-3.0.4-SNAPSHOT.jar:na]
> > > at
> > >
> > >
> >
> org.apache.openmeetings.web.pages.auth.SignInDialog.<init>(SignInDialog.java:92)
> > > [openmeetings-web-3.0.4-SNAPSHOT.jar:na]
> > > at
> > >
> > >
> >
> org.apache.openmeetings.web.pages.auth.SignInPage.<init>(SignInPage.java:127)
> > > [openmeetings-web-3.0.4-SNAPSHOT.jar:na]
> > > at
> > >
> > >
> >
> org.apache.openmeetings.web.pages.auth.SignInPage.<init>(SignInPage.java:136)
> > > [openmeetings-web-3.0.4-SNAPSHOT.jar:na]
> > > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
> Method)
> > > [na:1.7.0_76]
> > > at
> > >
> > >
> >
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
> > > [na:1.7.0_76]
> > > at
> > >
> > >
> >
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> > > [na:1.7.0_76]
> > > at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
> > > [na:1.7.0_76]
> > > at
> > >
> > >
> >
> org.apache.wicket.session.DefaultPageFactory.newPage(DefaultPageFactory.java:175)
> > > [wicket-core-6.19.0.jar:6.19.0]
> > > at
> > >
> > >
> >
> org.apache.wicket.session.DefaultPageFactory.newPage(DefaultPageFactory.java:67)
> > > [wicket-core-6.19.0.jar:6.19.0]
> > > at
> > >
> > >
> >
> org.apache.wicket.DefaultMapperContext.newPageInstance(DefaultMapperContext.java:133)
> > > [wicket-core-6.19.0.jar:6.19.0]
> > > at
> > >
> > >
> >
> org.apache.wicket.core.request.handler.PageProvider.resolvePageInstance(PageProvider.java:268)
> > > [wicket-core-6.19.0.jar:6.19.0]
> > > at
> > >
> > >
> >
> org.apache.wicket.core.request.handler.PageProvider.getPageInstance(PageProvider.java:166)
> > > [wicket-core-6.19.0.jar:6.19.0]
> > > at
> > >
> > >
> >
> org.apache.wicket.request.handler.render.PageRenderer.getPage(PageRenderer.java:78)
> > > [wicket-core-6.19.0.jar:6.19.0]
> > > at
> > >
> > >
> >
> org.apache.wicket.request.handler.render.WebPageRenderer.respond(WebPageRenderer.java:279)
> > > [wicket-core-6.19.0.jar:6.19.0]
> > > at
> > >
> > >
> >
> org.apache.wicket.core.request.handler.RenderPageRequestHandler.respond(RenderPageRequestHandler.java:175)
> > > [wicket-core-6.19.0.jar:6.19.0]
> > > at
> > >
> > >
> >
> org.apache.wicket.request.cycle.RequestCycle$HandlerExecutor.respond(RequestCycle.java:890)
> > > [wicket-core-6.19.0.jar:6.19.0]
> > > at
> > >
> > >
> >
> org.apache.wicket.request.RequestHandlerStack.execute(RequestHandlerStack.java:64)
> > > [wicket-request-6.19.0.jar:6.19.0]
> > > at
> > >
> >
> org.apache.wicket.request.cycle.RequestCycle.execute(RequestCycle.java:261)
> > > [wicket-core-6.19.0.jar:6.19.0]
> > > at
> > >
> > >
> >
> org.apache.wicket.request.cycle.RequestCycle.processRequest(RequestCycle.java:218)
> > > [wicket-core-6.19.0.jar:6.19.0]
> > > at
> > >
> > >
> >
> org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:289)
> > > [wicket-core-6.19.0.jar:6.19.0]
> > > at
> > >
> > >
> >
> org.apache.wicket.protocol.ws.AbstractUpgradeFilter.processRequestCycle(AbstractUpgradeFilter.java:59)
> > > [wicket-native-websocket-core-6.19.0.jar:6.19.0]
> > > at
> > >
> > >
> >
> org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:201)
> > > [wicket-core-6.19.0.jar:6.19.0]
> > > at
> > >
> > >
> >
> org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:282)
> > > [wicket-core-6.19.0.jar:6.19.0]
> > > at
> > >
> > >
> >
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
> > > [tomcat-embed-core.jar:7.0.57]
> > > at
> > >
> > >
> >
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
> > > [tomcat-embed-core.jar:7.0.57]
> > > at
> > >
> >
> org.red5.logging.LoggerContextFilter.doFilter(LoggerContextFilter.java:77)
> > > [red5-server.jar:1.0.4-RELEASE]
> > > at
> > >
> > >
> >
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
> > > [tomcat-embed-core.jar:7.0.57]
> > > at
> > >
> > >
> >
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
> > > [tomcat-embed-core.jar:7.0.57]
> > > at
> > >
> > >
> >
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
> > > [tomcat-embed-core.jar:7.0.57]
> > > at
> > >
> > >
> >
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
> > > [tomcat-embed-core.jar:7.0.57]
> > > at
> > >
> > >
> >
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:503)
> > > [tomcat-embed-core.jar:7.0.57]
> > > at
> > >
> > >
> >
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
> > > [tomcat-embed-core.jar:7.0.57]
> > > at
> > >
> > >
> >
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
> > > [tomcat-embed-core.jar:7.0.57]
> > > at
> > >
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
> > > [tomcat-embed-core.jar:7.0.57]
> > > at
> > >
> > >
> >
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
> > > [tomcat-embed-core.jar:7.0.57]
> > > at
> > >
> >
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
> > > [tomcat-embed-core.jar:7.0.57]
> > > at
> > >
> > >
> >
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
> > > [tomcat-embed-core.jar:7.0.57]
> > > at
> > >
> > >
> >
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
> > > [tomcat-embed-core.jar:7.0.57]
> > > at
> > >
> > >
> >
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1736)
> > > [tomcat-embed-core.jar:7.0.57]
> > > at
> > >
> > >
> >
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1695)
> > > [tomcat-embed-core.jar:7.0.57]
> > > at
> > >
> > >
> >
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> > > [na:1.7.0_76]
> > > at
> > >
> > >
> >
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> > > [na:1.7.0_76]
> > > at
> > >
> > >
> >
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> > > [tomcat-embed-core.jar:7.0.57]
> > > at java.lang.Thread.run(Thread.java:745) [na:1.7.0_76]
> > > Caused by: javax.crypto.BadPaddingException: Given final block not
> > properly
> > > padded
> > > at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:811)
> > > ~[sunjce_provider.jar:1.7.0_80]
> > > at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:676)
> > > ~[sunjce_provider.jar:1.7.0_80]
> > > at
> com.sun.crypto.provider.PBECipherCore.doFinal(PBECipherCore.java:422)
> > > ~[sunjce_provider.jar:1.7.0_80]
> > > at
> > >
> > >
> >
> com.sun.crypto.provider.PBEWithMD5AndDESCipher.engineDoFinal(PBEWithMD5AndDESCipher.java:316)
> > > ~[sunjce_provider.jar:1.7.0_80]
> > > at javax.crypto.Cipher.doFinal(Cipher.java:2087) ~[na:1.7.0_71]
> > > at org.apache.wicket.util.crypt.SunJceCrypt.crypt(SunJceCrypt.java:115)
> > > ~[wicket-util-6.19.0.jar:6.19.0]
> > > at
> > >
> > >
> >
> org.apache.wicket.util.crypt.AbstractCrypt.decryptByteArray(AbstractCrypt.java:150)
> > > ~[wicket-util-6.19.0.jar:6.19.0]
> > > ... 48 common frames omitted
> > >
> > >
> > > On Mon, Jan 26, 2015 at 6:37 PM, Tobias Soloschenko <
> > > [email protected]> wrote:
> > >
> > > > [+] Yes, release Apache Wicket 6.19.0
> > > >
> > > > kind regards
> > > >
> > > > Tobias
> > > >
> > > > > Am 26.01.2015 um 10:39 schrieb Martijn Dashorst <
> > > > [email protected]>:
> > > > >
> > > > > This is a vote to release Apache Wicket 6.19.0
> > > > >
> > > > > Please download the source distributions found in our staging area
> > > > > linked below.
> > > > >
> > > > > I have included the signatures for both the source archives. This
> > vote
> > > > > lasts for 72 hours minimum.
> > > > >
> > > > > [ ] Yes, release Apache Wicket 6.19.0
> > > > > [ ] No, don't release Apache Wicket 6.19.0, because ...
> > > > >
> > > > > Distributions, changelog, keys and signatures can be found at:
> > > > >
> > > > > https://dist.apache.org/repos/dist/dev/wicket/6.19.0
> > > > >
> > > > > Staging repository:
> > > > >
> > > > >
> > > >
> > https://repository.apache.org/content/repositories/orgapachewicket-1033/
> > > > >
> > > > > The binaries are available in the above link, as are a staging
> > > > > repository for Maven. Typically the vote is on the source, but
> should
> > > > > you find a problem with one of the binaries, please let me know, I
> > can
> > > > > re-roll them some way or the other.
> > > > >
> > > > >
> > > > >
> > >
> ========================================================================
> > > > >
> > > > > The signatures for the source release artefacts:
> > > > >
> > > > >
> > > > > Signature for apache-wicket-6.19.0.zip:
> > > > >
> > > > > -----BEGIN PGP SIGNATURE-----
> > > > > Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
> > > > > Comment: GPGTools - https://gpgtools.org
> > > > >
> > > > > iEYEABECAAYFAlTGCcIACgkQJBX8W/xy/UWvZACfWKgij/ptCo0iEnzpR/e0j9Nz
> > > > > mAsAn0NfQNOWEBtVMsQuCnwG+L6kqO28
> > > > > =tEEj
> > > > > -----END PGP SIGNATURE-----
> > > > >
> > > > > Signature for apache-wicket-6.19.0.tar.gz:
> > > > >
> > > > > -----BEGIN PGP SIGNATURE-----
> > > > > Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
> > > > > Comment: GPGTools - https://gpgtools.org
> > > > >
> > > > > iEYEABECAAYFAlTGCcIACgkQJBX8W/xy/UWqKwCgt9wLbuSjvAGwuO4E67KbXPhc
> > > > > /WAAnR1ZWxjr077abSwK2b77WM3nuwO4
> > > > > =9HPf
> > > > > -----END PGP SIGNATURE-----
> > > > >
> > > > >
> > >
> ========================================================================
> > > > >
> > > > > CHANGELOG for 6.19.0:
> > > > >
> > > > >
> > > > > ** Bug
> > > > >
> > > > > * [WICKET-5747] - Wicket Ajax Click handling gets requeued in
> > > > > OnDomReady so fire out of order
> > > > > * [WICKET-5752] - ReplacementResourceBundleReference should
> return
> > > > > the dependencies for the replacing resource ref
> > > > > * [WICKET-5755] - Restoring focus after Ajax replace no longer
> > works
> > > > in IE8
> > > > > * [WICKET-5759] - AjaxRequestAttributes extra parameters aren't
> > > > > properly handled in getCallbackFunction()
> > > > > * [WICKET-5770] - PageParametersEncoder should not decode
> > > > > parameters with no name
> > > > > * [WICKET-5782] - Missing escaping in MultiFileUploadField.js -
> > sort
> > > > of XSS
> > > > > * [WICKET-5783] - Multiple events in AjaxEventBehavior with
> prefix
> > > > 'on'
> > > > > * [WICKET-5784] - arraycopy with bad length in
> > > > AbstractRequestLogger:172
> > > > > * [WICKET-5793] - Request for static resource creating a session
> > in
> > > > 6.13.0+
> > > > > * [WICKET-5809] - URL IPv6 parsing
> > > > > * [WICKET-5811] - Infinite loop issue in
> > > > >
> PropertyValidator#createUnresolvablePropertyMessage(FormComponent<>)
> > > > > * [WICKET-5812] - AtmosphereBehavior wrongly sets Ajax base url
> to
> > > '.'
> > > > >
> > > > > ** Improvement
> > > > >
> > > > > * [WICKET-4703] - StringResourceModel should provide an
> > > > > overridable getString(Component) method
> > > > > * [WICKET-5746] - Fire an event once all JS event listeners are
> > > > registered
> > > > > * [WICKET-5753] - It is impossible to determine the form
> > > > > submitting component's inputName when AjaxFormSubmitBehavior is
> used
> > > > > * [WICKET-5754] - (String)ResourceModel's defaultValue could be
> an
> > > > > IModel<String>
> > > > > * [WICKET-5756] - Allow to use custom ciphers when using
> > SunJceCrypt
> > > > class
> > > > > * [WICKET-5758] - Portuguese translation
> > > > > * [WICKET-5760] - Add constructor (String, Serializable, String)
> > > > > to AttributeAppender
> > > > > * [WICKET-5775] - Replace the session upon successful signin for
> > > > > better support for Session Fixation
> > > > > * [WICKET-5776] - Add information about the component when it
> fail
> > > > > in detach phase
> > > > > * [WICKET-5778] - Pass the IModifiable to the IChangeListener in
> > > > > ModificationWatcher
> > > > > * [WICKET-5780] - Add a resource reference for
> > > ContextRelativeResource
> > > > > * [WICKET-5794] - Make DefaultExceptionMapper extensible
> > > > > * [WICKET-5797] - Convenience method to call setResponsePage
> with
> > > > > forward option
> > > > > * [WICKET-5799] - Add rel=prev/next in PagingNavigator.html
> > > > > * [WICKET-5802] - HTML Import
> > > > > * [WICKET-5806] - Wicket.Log should log (at least errors) in the
> > > > > browser console even when Wicket Ajax Debug window is disabled
> > > > >
> > > > > ** New Feature
> > > > >
> > > > > * [WICKET-5771] - Ability to escape resource bundle messages
> added
> > > > > with wicket:message
> > > > >
> > > > > ** Task
> > > > >
> > > > > * [WICKET-5791] - Update JQuery to 1.11.2 and 2.1.3
> > > >
> > >
> > >
> > >
> > > --
> > > WBR
> > > Maxim aka solomax
> > >
> >
>
>
>
> --
> WBR
> Maxim aka solomax
>
