Re: [cas-user] CAS4 flow decode execution error, is this an issue?

2017-01-05 Thread Yan Zhou 

I see.  There are two sets of keys. I am missing  webflow..key

ALL nodes SHARE the same key. For some reason, I thought each node will 
have a unique key, but obviously I was wrong.


So, session affinity is NOT required for CAS to work correctly.

Thx!


On 1/5/2017 2:19 PM, Misagh Moayyed wrote:

1. Keys must be the same across all nodes.
2. Your previous error says something about webflow decryption. Your 
config has no keys defined for that purpose.


--
Misagh

From: Yan Zhou <yanand...@gmail.com> <mailto:yanand...@gmail.com>
Reply: cas-user@apereo.org <cas-user@apereo.org> 
<mailto:cas-user@apereo.org>

Date: January 5, 2017 at 10:25:09 PM
To: CAS Community <cas-user@apereo.org> <mailto:cas-user@apereo.org>
Subject: Re: [cas-user] CAS4 flow decode execution error, is this an 
issue?




Hi,

this is one server's cas.properties.  the other server is very 
similar other than host name is dcasde02, and it has different 
signing key and encryption key, since they are unique per server.


Is there any misconfiguration you can see?   If CAS cluster can work 
without session affinity, how does one server decrypt a value 
encrypted by another server using a different key?


Thx!

server.name=http://dcasde01:8443
server.prefix=${server.name}/cas
cas.securityContext.status.access=hasIpAddress('172.18.100.52')
cas.securityContext.statistics.access=hasIpAddress('172.18.100.52')
cas.themeResolver.defaultThemeName=cas-theme-default
cas.viewResolver.basename=default_views
host.name=dcasde01.dev.medplus.com
tgc.encryption.key=LqWoZsHfEYQZ3KIzWiC_KE8iUoKXK48FgTiIDpTZs80
tgc.signing.key=O7Y5GookFVgYjhTE2sQZPxTeUr07jlcNDIo5G34rSxulP1FPaYs-5_dc_87a5OrOEvAAp0BImQ9sPxuy_MX-jQ
hz.cluster.members=dcasde01.dev.medplus.com,dcasde02.dev.medplus.com
cas.logout.followServiceRedirects=true
tgt.maxTimeToLiveInSeconds=28800
st.timeToKillInSeconds=300
service.registry.config.location=file:///etc/cas-config/cas-management/services



On Thursday, January 5, 2017 at 12:49:42 PM UTC-5, sesharaju sv wrote:

Hello Yan,

 you would have missed some configurations in cas.properties. Please
share properties so that can we can review and let you know the
issue.

Thanks
Seshu

On 5 January 2017 at 20:17, Yan Zhou <yana...@gmail.com> wrote:
> Hello,
>
> When you submit CAS4 login page, sometimes you got “Decode flow
execution
> error”. For a long time, I have been struggling as to why this
happens. I
> think we have an answer.
>
>
> This most likely happens in a cluster environment when you have
multiple
> active CAS4 servers. They each has a different signing key.  The
webflow
> values are encrypted by the CAS server handling request and sent
back to CAS
> login form, when form is submitted, the encrypted value comes
back to CAS
> server.  Without session affinity, one server can sign the data,
but the
> other server won’t decrypt it, because the keys are different.
>
>
>
> That is my theory, do you think that would cause this error?   I
did verify
> that when server cannot decrypt data, it results in null value,
which causes
> the following exception.
>
>
> 2016-11-23 15:21:01,746 ERROR
[org.jasig.cas.util.BinaryCipherExecutor] -
> Unable to correctly extract the Initialization Vector or ciphertext.
>
> org.apache.shiro.crypto.CryptoException: Unable to correctly
extract the
> Initialization Vector or ciphertext.
>
> at
> 
org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:378)
>
> at
> 
org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:120)
>
> at
> 
org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:42)
>
> at
> 
org.jasig.cas.web.flow.CasWebflowCipherBean.decrypt(CasWebflowCipherBean.java:58)
>
> at
> 
org.jasig.spring.webflow.plugin.EncryptedTranscoder.decode(EncryptedTranscoder.java:105)
>
> at
> 
org.jasig.spring.webflow.plugin.ClientFlowExecutionRepository.getFlowExecution(ClientFlowExecutionRepository.java:90)
>
> at
> 
org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:168)
>
> at
> 
org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:228)
>
> at
> 
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)
>
> at
> 
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)
>
>

Re: [cas-user] CAS4 flow decode execution error, is this an issue?

2017-01-05 Thread Misagh Moayyed 
1. Keys must be the same across all nodes. 
2. Your previous error says something about webflow decryption. Your config has 
no keys defined for that purpose. 

-- 
Misagh

From: Yan Zhou <yanand...@gmail.com>
Reply: cas-user@apereo.org <cas-user@apereo.org>
Date: January 5, 2017 at 10:25:09 PM
To: CAS Community <cas-user@apereo.org>
Subject:  Re: [cas-user] CAS4 flow decode execution error, is this an issue?  


Hi, 

this is one server's cas.properties.  the other server is very similar other 
than host name is dcasde02, and it has different signing key and encryption 
key, since they are unique per server.

Is there any misconfiguration you can see?   If CAS cluster can work without 
session affinity, how does one server decrypt a value encrypted by another 
server using a different key?

Thx!

server.name=http://dcasde01:8443
server.prefix=${server.name}/cas
cas.securityContext.status.access=hasIpAddress('172.18.100.52')
cas.securityContext.statistics.access=hasIpAddress('172.18.100.52')
cas.themeResolver.defaultThemeName=cas-theme-default
cas.viewResolver.basename=default_views
host.name=dcasde01.dev.medplus.com
tgc.encryption.key=LqWoZsHfEYQZ3KIzWiC_KE8iUoKXK48FgTiIDpTZs80
tgc.signing.key=O7Y5GookFVgYjhTE2sQZPxTeUr07jlcNDIo5G34rSxulP1FPaYs-5_dc_87a5OrOEvAAp0BImQ9sPxuy_MX-jQ
hz.cluster.members=dcasde01.dev.medplus.com,dcasde02.dev.medplus.com
cas.logout.followServiceRedirects=true
tgt.maxTimeToLiveInSeconds=28800
st.timeToKillInSeconds=300
service.registry.config.location=file:///etc/cas-config/cas-management/services



On Thursday, January 5, 2017 at 12:49:42 PM UTC-5, sesharaju sv wrote:
Hello Yan,

 you would have missed some configurations in cas.properties. Please
share properties so that can we can review and let you know the issue.

Thanks
Seshu

On 5 January 2017 at 20:17, Yan Zhou <yana...@gmail.com> wrote:
> Hello,
>
> When you submit CAS4 login page, sometimes you got “Decode flow execution
> error”. For a long time, I have been struggling as to why this happens. I
> think we have an answer.
>
>
> This most likely happens in a cluster environment when you have multiple
> active CAS4 servers. They each has a different signing key.  The webflow
> values are encrypted by the CAS server handling request and sent back to CAS
> login form, when form is submitted, the encrypted value comes back to CAS
> server.  Without session affinity, one server can sign the data, but the
> other server won’t decrypt it, because the keys are different.
>
>
>
> That is my theory, do you think that would cause this error?   I did verify
> that when server cannot decrypt data, it results in null value, which causes
> the following exception.
>
>
> 2016-11-23 15:21:01,746 ERROR [org.jasig.cas.util.BinaryCipherExecutor] -
> Unable to correctly extract the Initialization Vector or ciphertext.
>
> org.apache.shiro.crypto.CryptoException: Unable to correctly extract the
> Initialization Vector or ciphertext.
>
>         at
> org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:378)
>
>         at
> org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:120)
>
>         at
> org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:42)
>
>         at
> org.jasig.cas.web.flow.CasWebflowCipherBean.decrypt(CasWebflowCipherBean.java:58)
>
>         at
> org.jasig.spring.webflow.plugin.EncryptedTranscoder.decode(EncryptedTranscoder.java:105)
>
>         at
> org.jasig.spring.webflow.plugin.ClientFlowExecutionRepository.getFlowExecution(ClientFlowExecutionRepository.java:90)
>
>         at
> org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:168)
>
>         at
> org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:228)
>
>         at
> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)
>
>         at
> org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)
>
>         at
> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:967)
>
>         at
> org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:869)
>
>         at javax.servlet.http.HttpServlet.service(Unknown Source)
>
>         at
> org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:843)
>
>         at javax.servlet.http.HttpServlet.service(Unknown Source)
>
>         at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown
> Source)
>
>         at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown
> Source)
>
>         at o

Re: [cas-user] CAS4 flow decode execution error, is this an issue?

2017-01-05 Thread Yan Zhou 

Hi, 

this is one server's cas.properties.  the other server is very similar 
other than host name is dcasde02, and it has different signing key and 
encryption key, since they are unique per server.

Is there any misconfiguration you can see?   If CAS cluster can work 
without session affinity, how does one server decrypt a value encrypted by 
another server using a different key?

Thx!

server.name=http://dcasde01:8443
server.prefix=${server.name}/cas
cas.securityContext.status.access=hasIpAddress('172.18.100.52')
cas.securityContext.statistics.access=hasIpAddress('172.18.100.52')
cas.themeResolver.defaultThemeName=cas-theme-default
cas.viewResolver.basename=default_views
host.name=dcasde01.dev.medplus.com
tgc.encryption.key=LqWoZsHfEYQZ3KIzWiC_KE8iUoKXK48FgTiIDpTZs80
tgc.signing.key=O7Y5GookFVgYjhTE2sQZPxTeUr07jlcNDIo5G34rSxulP1FPaYs-5_dc_87a5OrOEvAAp0BImQ9sPxuy_MX-jQ
hz.cluster.members=dcasde01.dev.medplus.com,dcasde02.dev.medplus.com
cas.logout.followServiceRedirects=true
tgt.maxTimeToLiveInSeconds=28800
st.timeToKillInSeconds=300
service.registry.config.location=file:///etc/cas-config/cas-management/services



On Thursday, January 5, 2017 at 12:49:42 PM UTC-5, sesharaju sv wrote:
>
> Hello Yan, 
>
>  you would have missed some configurations in cas.properties. Please 
> share properties so that can we can review and let you know the issue. 
>
> Thanks 
> Seshu 
>
> On 5 January 2017 at 20:17, Yan Zhou  
> wrote: 
> > Hello, 
> > 
> > When you submit CAS4 login page, sometimes you got “Decode flow 
> execution 
> > error”. For a long time, I have been struggling as to why this happens. 
> I 
> > think we have an answer. 
> > 
> > 
> > This most likely happens in a cluster environment when you have multiple 
> > active CAS4 servers. They each has a different signing key.  The webflow 
> > values are encrypted by the CAS server handling request and sent back to 
> CAS 
> > login form, when form is submitted, the encrypted value comes back to 
> CAS 
> > server.  Without session affinity, one server can sign the data, but the 
> > other server won’t decrypt it, because the keys are different. 
> > 
> > 
> > 
> > That is my theory, do you think that would cause this error?   I did 
> verify 
> > that when server cannot decrypt data, it results in null value, which 
> causes 
> > the following exception. 
> > 
> > 
> > 2016-11-23 15:21:01,746 ERROR [org.jasig.cas.util.BinaryCipherExecutor] 
> - 
> > Unable to correctly extract the Initialization Vector or ciphertext. 
> > 
> > org.apache.shiro.crypto.CryptoException: Unable to correctly extract the 
> > Initialization Vector or ciphertext. 
> > 
> > at 
> > 
> org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:378) 
> > 
> > at 
> > 
> org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:120) 
>
> > 
> > at 
> > 
> org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:42) 
>
> > 
> > at 
> > 
> org.jasig.cas.web.flow.CasWebflowCipherBean.decrypt(CasWebflowCipherBean.java:58)
>  
>
> > 
> > at 
> > 
> org.jasig.spring.webflow.plugin.EncryptedTranscoder.decode(EncryptedTranscoder.java:105)
>  
>
> > 
> > at 
> > 
> org.jasig.spring.webflow.plugin.ClientFlowExecutionRepository.getFlowExecution(ClientFlowExecutionRepository.java:90)
>  
>
> > 
> > at 
> > 
> org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:168)
>  
>
> > 
> > at 
> > 
> org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:228)
>  
>
> > 
> > at 
> > 
> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)
>  
>
> > 
> > at 
> > 
> org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)
>  
>
> > 
> > at 
> > 
> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:967)
>  
>
> > 
> > at 
> > 
> org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:869)
>  
>
> > 
> > at javax.servlet.http.HttpServlet.service(Unknown Source) 
> > 
> > at 
> > 
> org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:843)
>  
>
> > 
> > at javax.servlet.http.HttpServlet.service(Unknown Source) 
> > 
> > at 
> > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown 
> > Source) 
> > 
> > at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown 
> > Source) 
> > 
> > at org.apache.tomcat.websocket.server.WsFilter.doFilter(Unknown 
> > Source) 
> > 
> > at 
> > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown 
> > Source) 
> > 
> > at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown 
> > Source) 
> > 
> > at 
> > 
>

Re: [cas-user] CAS4 flow decode execution error, is this an issue?

2017-01-05 Thread sesharaju sv 
Hello Yan,

 you would have missed some configurations in cas.properties. Please
share properties so that can we can review and let you know the issue.

Thanks
Seshu

On 5 January 2017 at 20:17, Yan Zhou  wrote:
> Hello,
>
> When you submit CAS4 login page, sometimes you got “Decode flow execution
> error”. For a long time, I have been struggling as to why this happens. I
> think we have an answer.
>
>
> This most likely happens in a cluster environment when you have multiple
> active CAS4 servers. They each has a different signing key.  The webflow
> values are encrypted by the CAS server handling request and sent back to CAS
> login form, when form is submitted, the encrypted value comes back to CAS
> server.  Without session affinity, one server can sign the data, but the
> other server won’t decrypt it, because the keys are different.
>
>
>
> That is my theory, do you think that would cause this error?   I did verify
> that when server cannot decrypt data, it results in null value, which causes
> the following exception.
>
>
> 2016-11-23 15:21:01,746 ERROR [org.jasig.cas.util.BinaryCipherExecutor] -
> Unable to correctly extract the Initialization Vector or ciphertext.
>
> org.apache.shiro.crypto.CryptoException: Unable to correctly extract the
> Initialization Vector or ciphertext.
>
> at
> org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:378)
>
> at
> org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:120)
>
> at
> org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:42)
>
> at
> org.jasig.cas.web.flow.CasWebflowCipherBean.decrypt(CasWebflowCipherBean.java:58)
>
> at
> org.jasig.spring.webflow.plugin.EncryptedTranscoder.decode(EncryptedTranscoder.java:105)
>
> at
> org.jasig.spring.webflow.plugin.ClientFlowExecutionRepository.getFlowExecution(ClientFlowExecutionRepository.java:90)
>
> at
> org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:168)
>
> at
> org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:228)
>
> at
> org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)
>
> at
> org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)
>
> at
> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:967)
>
> at
> org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:869)
>
> at javax.servlet.http.HttpServlet.service(Unknown Source)
>
> at
> org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:843)
>
> at javax.servlet.http.HttpServlet.service(Unknown Source)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown
> Source)
>
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown
> Source)
>
> at org.apache.tomcat.websocket.server.WsFilter.doFilter(Unknown
> Source)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown
> Source)
>
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown
> Source)
>
> at
> org.jasig.cas.security.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:227)
>
>at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown
> Source)
>
>
>
> at
> org.jasig.cas.security.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:250)
>
> at
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
>
> at
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown
> Source)
>
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown
> Source)
>
> at
> org.jasig.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:62)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown
> Source)
>
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown
> Source)
>
> at
> org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:85)
>
> at
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
>
> at
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
>
> at
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
>
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown
> Source)
>
> at