It depends on the configured ICryptFactory for the application. Due to a security problem 6.19.0 changed the default factory from CachingSunJceCryptFactory to KeyInSessionSunJceCryptFactory.
Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Wed, Jan 28, 2015 at 10:07 AM, Maxim Solodovnik <[email protected]> wrote: > So it is expected behavior all users need to re-login after Tomcat restart? > > On Wed, Jan 28, 2015 at 2:05 PM, Martin Grigorov <[email protected]> > wrote: > > > Again I don't see the exception caught at > > > > try { > > value = getCrypt().decryptUrlSafe(value); > > } catch (RuntimeException e) { > > > > to be logged in your version of the class. > > As I said failing at decryption is something to be expected. I think the > > logged message should be DEBUG, not INFO. > > > > There are changes in Wicket related to better security that will lead to > > forced logout after upgrading to 6.19.0: > > > > [WICKET-5775] - Replace the session upon successful signin for better > > support for Session Fixation > > [WICKET-5756] - Allow to use custom ciphers when using SunJceCrypt class > > > > > > Martin Grigorov > > Wicket Training and Consulting > > https://twitter.com/mtgrigorov > > > > On Wed, Jan 28, 2015 at 9:57 AM, Maxim Solodovnik <[email protected]> > > wrote: > > > > > Hello Martin! > > > > > > Actually I'm using modified AuthStrategy (to be able to handle > additional > > > parameter) [1] > > > It was copied from DefaultAuthenticationStrategy > > > > > > I'll check the code ant will try to find what was changed (maybe my > code > > is > > > bad) > > > > > > [1] > > > > > > > > > https://svn.apache.org/repos/asf/openmeetings/branches/3.0.x/src/web/java/org/apache/openmeetings/web/app/OmAuthenticationStrategy.java > > > > > > On Wed, Jan 28, 2015 at 1:49 PM, Martin Grigorov <[email protected] > > > > > wrote: > > > > > > > Hi Maxim, > > > > > > > > I wasn't able to reproduce the problem. > > > > Additionally I think it is a normal use > > > > case. > > > > > > > > > > org.apache.wicket.authentication.strategy.DefaultAuthenticationStrategy#load() > > > > [1] catches RuntimeException, logs an INFO message explaining why it > > may > > > > happen and removes the cookie. I am not sure why you see this > exception > > > > stack trace. It is not logged by Wicket, or at least I don't see > where. > > > > > > > > 1. > > > > > > > > > > > > > > https://github.com/apache/wicket/blob/wicket-6.x/wicket-core/src/main/java/org/apache/wicket/authentication/strategy/DefaultAuthenticationStrategy.java#L101 > > > > > > > > Martin Grigorov > > > > Wicket Training and Consulting > > > > https://twitter.com/mtgrigorov > > > > > > > > On Tue, Jan 27, 2015 at 6:52 PM, Maxim Solodovnik < > > [email protected]> > > > > wrote: > > > > > > > > > Hello Martijn, > > > > > > > > > > It seems like "Remember log in" feature is not working anymore. > > > > > > > > > > Steps: > > > > > 1) Save login/password in cookies > > > > > 2) delete JSESSIONID cookie > > > > > 3) reload page > > > > > Result: no login prompt > > > > > > > > > > 1) stop tomcat > > > > > 2) start tomcat > > > > > 3) reload page > > > > > Result: exception [1] in the logs + login prompt > > > > > > > > > > it was working in 6.18.0 .... did I miss to update some > dependencies > > or > > > > > something broken? > > > > > > > > > > > > > > > [1] java.lang.RuntimeException: Unable to decrypt the text '�� > �!��@ > > �� > > > > > {�� ��y4 ��x�MJ� ������}]' > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.wicket.util.crypt.AbstractCrypt.decryptByteArray(AbstractCrypt.java:154) > > > > > ~[wicket-util-6.19.0.jar:6.19.0] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.wicket.util.crypt.AbstractCrypt.decryptUrlSafe(AbstractCrypt.java:66) > > > > > ~[wicket-util-6.19.0.jar:6.19.0] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.openmeetings.web.app.OmAuthenticationStrategy.load(OmAuthenticationStrategy.java:50) > > > > > [openmeetings-web-3.0.4-SNAPSHOT.jar:na] > > > > > at > > > > > > > > > > > > > > > org.apache.openmeetings.web.app.WebSession.isSignedIn(WebSession.java:174) > > > > > [openmeetings-web-3.0.4-SNAPSHOT.jar:na] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.openmeetings.web.pages.auth.SignInDialog$SignInForm.<init>(SignInDialog.java:219) > > > > > [openmeetings-web-3.0.4-SNAPSHOT.jar:na] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.openmeetings.web.pages.auth.SignInDialog.<init>(SignInDialog.java:92) > > > > > [openmeetings-web-3.0.4-SNAPSHOT.jar:na] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.openmeetings.web.pages.auth.SignInPage.<init>(SignInPage.java:127) > > > > > [openmeetings-web-3.0.4-SNAPSHOT.jar:na] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.openmeetings.web.pages.auth.SignInPage.<init>(SignInPage.java:136) > > > > > [openmeetings-web-3.0.4-SNAPSHOT.jar:na] > > > > > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > > > Method) > > > > > [na:1.7.0_76] > > > > > at > > > > > > > > > > > > > > > > > > > > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) > > > > > [na:1.7.0_76] > > > > > at > > > > > > > > > > > > > > > > > > > > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > > > > > [na:1.7.0_76] > > > > > at java.lang.reflect.Constructor.newInstance(Constructor.java:526) > > > > > [na:1.7.0_76] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.wicket.session.DefaultPageFactory.newPage(DefaultPageFactory.java:175) > > > > > [wicket-core-6.19.0.jar:6.19.0] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.wicket.session.DefaultPageFactory.newPage(DefaultPageFactory.java:67) > > > > > [wicket-core-6.19.0.jar:6.19.0] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.wicket.DefaultMapperContext.newPageInstance(DefaultMapperContext.java:133) > > > > > [wicket-core-6.19.0.jar:6.19.0] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.wicket.core.request.handler.PageProvider.resolvePageInstance(PageProvider.java:268) > > > > > [wicket-core-6.19.0.jar:6.19.0] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.wicket.core.request.handler.PageProvider.getPageInstance(PageProvider.java:166) > > > > > [wicket-core-6.19.0.jar:6.19.0] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.wicket.request.handler.render.PageRenderer.getPage(PageRenderer.java:78) > > > > > [wicket-core-6.19.0.jar:6.19.0] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.wicket.request.handler.render.WebPageRenderer.respond(WebPageRenderer.java:279) > > > > > [wicket-core-6.19.0.jar:6.19.0] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.wicket.core.request.handler.RenderPageRequestHandler.respond(RenderPageRequestHandler.java:175) > > > > > [wicket-core-6.19.0.jar:6.19.0] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.wicket.request.cycle.RequestCycle$HandlerExecutor.respond(RequestCycle.java:890) > > > > > [wicket-core-6.19.0.jar:6.19.0] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.wicket.request.RequestHandlerStack.execute(RequestHandlerStack.java:64) > > > > > [wicket-request-6.19.0.jar:6.19.0] > > > > > at > > > > > > > > > > > > > > > org.apache.wicket.request.cycle.RequestCycle.execute(RequestCycle.java:261) > > > > > [wicket-core-6.19.0.jar:6.19.0] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.wicket.request.cycle.RequestCycle.processRequest(RequestCycle.java:218) > > > > > [wicket-core-6.19.0.jar:6.19.0] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:289) > > > > > [wicket-core-6.19.0.jar:6.19.0] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.wicket.protocol.ws.AbstractUpgradeFilter.processRequestCycle(AbstractUpgradeFilter.java:59) > > > > > [wicket-native-websocket-core-6.19.0.jar:6.19.0] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:201) > > > > > [wicket-core-6.19.0.jar:6.19.0] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:282) > > > > > [wicket-core-6.19.0.jar:6.19.0] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) > > > > > [tomcat-embed-core.jar:7.0.57] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) > > > > > [tomcat-embed-core.jar:7.0.57] > > > > > at > > > > > > > > > > > > > > > org.red5.logging.LoggerContextFilter.doFilter(LoggerContextFilter.java:77) > > > > > [red5-server.jar:1.0.4-RELEASE] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) > > > > > [tomcat-embed-core.jar:7.0.57] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) > > > > > [tomcat-embed-core.jar:7.0.57] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) > > > > > [tomcat-embed-core.jar:7.0.57] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) > > > > > [tomcat-embed-core.jar:7.0.57] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:503) > > > > > [tomcat-embed-core.jar:7.0.57] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) > > > > > [tomcat-embed-core.jar:7.0.57] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) > > > > > [tomcat-embed-core.jar:7.0.57] > > > > > at > > > > > > > > > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) > > > > > [tomcat-embed-core.jar:7.0.57] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) > > > > > [tomcat-embed-core.jar:7.0.57] > > > > > at > > > > > > > > > > > > > > > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421) > > > > > [tomcat-embed-core.jar:7.0.57] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070) > > > > > [tomcat-embed-core.jar:7.0.57] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) > > > > > [tomcat-embed-core.jar:7.0.57] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1736) > > > > > [tomcat-embed-core.jar:7.0.57] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1695) > > > > > [tomcat-embed-core.jar:7.0.57] > > > > > at > > > > > > > > > > > > > > > > > > > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > > > > > [na:1.7.0_76] > > > > > at > > > > > > > > > > > > > > > > > > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > > > > > [na:1.7.0_76] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > > > > > [tomcat-embed-core.jar:7.0.57] > > > > > at java.lang.Thread.run(Thread.java:745) [na:1.7.0_76] > > > > > Caused by: javax.crypto.BadPaddingException: Given final block not > > > > properly > > > > > padded > > > > > at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:811) > > > > > ~[sunjce_provider.jar:1.7.0_80] > > > > > at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:676) > > > > > ~[sunjce_provider.jar:1.7.0_80] > > > > > at > > > com.sun.crypto.provider.PBECipherCore.doFinal(PBECipherCore.java:422) > > > > > ~[sunjce_provider.jar:1.7.0_80] > > > > > at > > > > > > > > > > > > > > > > > > > > com.sun.crypto.provider.PBEWithMD5AndDESCipher.engineDoFinal(PBEWithMD5AndDESCipher.java:316) > > > > > ~[sunjce_provider.jar:1.7.0_80] > > > > > at javax.crypto.Cipher.doFinal(Cipher.java:2087) ~[na:1.7.0_71] > > > > > at > > org.apache.wicket.util.crypt.SunJceCrypt.crypt(SunJceCrypt.java:115) > > > > > ~[wicket-util-6.19.0.jar:6.19.0] > > > > > at > > > > > > > > > > > > > > > > > > > > org.apache.wicket.util.crypt.AbstractCrypt.decryptByteArray(AbstractCrypt.java:150) > > > > > ~[wicket-util-6.19.0.jar:6.19.0] > > > > > ... 48 common frames omitted > > > > > > > > > > > > > > > On Mon, Jan 26, 2015 at 6:37 PM, Tobias Soloschenko < > > > > > [email protected]> wrote: > > > > > > > > > > > [+] Yes, release Apache Wicket 6.19.0 > > > > > > > > > > > > kind regards > > > > > > > > > > > > Tobias > > > > > > > > > > > > > Am 26.01.2015 um 10:39 schrieb Martijn Dashorst < > > > > > > [email protected]>: > > > > > > > > > > > > > > This is a vote to release Apache Wicket 6.19.0 > > > > > > > > > > > > > > Please download the source distributions found in our staging > > area > > > > > > > linked below. > > > > > > > > > > > > > > I have included the signatures for both the source archives. > This > > > > vote > > > > > > > lasts for 72 hours minimum. > > > > > > > > > > > > > > [ ] Yes, release Apache Wicket 6.19.0 > > > > > > > [ ] No, don't release Apache Wicket 6.19.0, because ... > > > > > > > > > > > > > > Distributions, changelog, keys and signatures can be found at: > > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/wicket/6.19.0 > > > > > > > > > > > > > > Staging repository: > > > > > > > > > > > > > > > > > > > > > > > > > > https://repository.apache.org/content/repositories/orgapachewicket-1033/ > > > > > > > > > > > > > > The binaries are available in the above link, as are a staging > > > > > > > repository for Maven. Typically the vote is on the source, but > > > should > > > > > > > you find a problem with one of the binaries, please let me > know, > > I > > > > can > > > > > > > re-roll them some way or the other. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ======================================================================== > > > > > > > > > > > > > > The signatures for the source release artefacts: > > > > > > > > > > > > > > > > > > > > > Signature for apache-wicket-6.19.0.zip: > > > > > > > > > > > > > > -----BEGIN PGP SIGNATURE----- > > > > > > > Version: GnuPG/MacGPG2 v2.0.22 (Darwin) > > > > > > > Comment: GPGTools - https://gpgtools.org > > > > > > > > > > > > > > > iEYEABECAAYFAlTGCcIACgkQJBX8W/xy/UWvZACfWKgij/ptCo0iEnzpR/e0j9Nz > > > > > > > mAsAn0NfQNOWEBtVMsQuCnwG+L6kqO28 > > > > > > > =tEEj > > > > > > > -----END PGP SIGNATURE----- > > > > > > > > > > > > > > Signature for apache-wicket-6.19.0.tar.gz: > > > > > > > > > > > > > > -----BEGIN PGP SIGNATURE----- > > > > > > > Version: GnuPG/MacGPG2 v2.0.22 (Darwin) > > > > > > > Comment: GPGTools - https://gpgtools.org > > > > > > > > > > > > > > > iEYEABECAAYFAlTGCcIACgkQJBX8W/xy/UWqKwCgt9wLbuSjvAGwuO4E67KbXPhc > > > > > > > /WAAnR1ZWxjr077abSwK2b77WM3nuwO4 > > > > > > > =9HPf > > > > > > > -----END PGP SIGNATURE----- > > > > > > > > > > > > > > > > > > > > > > > ======================================================================== > > > > > > > > > > > > > > CHANGELOG for 6.19.0: > > > > > > > > > > > > > > > > > > > > > ** Bug > > > > > > > > > > > > > > * [WICKET-5747] - Wicket Ajax Click handling gets requeued > in > > > > > > > OnDomReady so fire out of order > > > > > > > * [WICKET-5752] - ReplacementResourceBundleReference should > > > return > > > > > > > the dependencies for the replacing resource ref > > > > > > > * [WICKET-5755] - Restoring focus after Ajax replace no > longer > > > > works > > > > > > in IE8 > > > > > > > * [WICKET-5759] - AjaxRequestAttributes extra parameters > > aren't > > > > > > > properly handled in getCallbackFunction() > > > > > > > * [WICKET-5770] - PageParametersEncoder should not decode > > > > > > > parameters with no name > > > > > > > * [WICKET-5782] - Missing escaping in > MultiFileUploadField.js > > - > > > > sort > > > > > > of XSS > > > > > > > * [WICKET-5783] - Multiple events in AjaxEventBehavior with > > > prefix > > > > > > 'on' > > > > > > > * [WICKET-5784] - arraycopy with bad length in > > > > > > AbstractRequestLogger:172 > > > > > > > * [WICKET-5793] - Request for static resource creating a > > session > > > > in > > > > > > 6.13.0+ > > > > > > > * [WICKET-5809] - URL IPv6 parsing > > > > > > > * [WICKET-5811] - Infinite loop issue in > > > > > > > > > > PropertyValidator#createUnresolvablePropertyMessage(FormComponent<>) > > > > > > > * [WICKET-5812] - AtmosphereBehavior wrongly sets Ajax base > > url > > > to > > > > > '.' > > > > > > > > > > > > > > ** Improvement > > > > > > > > > > > > > > * [WICKET-4703] - StringResourceModel should provide an > > > > > > > overridable getString(Component) method > > > > > > > * [WICKET-5746] - Fire an event once all JS event listeners > > are > > > > > > registered > > > > > > > * [WICKET-5753] - It is impossible to determine the form > > > > > > > submitting component's inputName when AjaxFormSubmitBehavior is > > > used > > > > > > > * [WICKET-5754] - (String)ResourceModel's defaultValue could > > be > > > an > > > > > > > IModel<String> > > > > > > > * [WICKET-5756] - Allow to use custom ciphers when using > > > > SunJceCrypt > > > > > > class > > > > > > > * [WICKET-5758] - Portuguese translation > > > > > > > * [WICKET-5760] - Add constructor (String, Serializable, > > String) > > > > > > > to AttributeAppender > > > > > > > * [WICKET-5775] - Replace the session upon successful signin > > for > > > > > > > better support for Session Fixation > > > > > > > * [WICKET-5776] - Add information about the component when > it > > > fail > > > > > > > in detach phase > > > > > > > * [WICKET-5778] - Pass the IModifiable to the > IChangeListener > > in > > > > > > > ModificationWatcher > > > > > > > * [WICKET-5780] - Add a resource reference for > > > > > ContextRelativeResource > > > > > > > * [WICKET-5794] - Make DefaultExceptionMapper extensible > > > > > > > * [WICKET-5797] - Convenience method to call setResponsePage > > > with > > > > > > > forward option > > > > > > > * [WICKET-5799] - Add rel=prev/next in PagingNavigator.html > > > > > > > * [WICKET-5802] - HTML Import > > > > > > > * [WICKET-5806] - Wicket.Log should log (at least errors) in > > the > > > > > > > browser console even when Wicket Ajax Debug window is disabled > > > > > > > > > > > > > > ** New Feature > > > > > > > > > > > > > > * [WICKET-5771] - Ability to escape resource bundle messages > > > added > > > > > > > with wicket:message > > > > > > > > > > > > > > ** Task > > > > > > > > > > > > > > * [WICKET-5791] - Update JQuery to 1.11.2 and 2.1.3 > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > WBR > > > > > Maxim aka solomax > > > > > > > > > > > > > > > > > > > > > -- > > > WBR > > > Maxim aka solomax > > > > > > > > > -- > WBR > Maxim aka solomax >
