Re: [cas-user] CAS4 flow decode execution error, is this an issue?
I see. There are two sets of keys. I am missing webflow..key ALL nodes SHARE the same key. For some reason, I thought each node will have a unique key, but obviously I was wrong. So, session affinity is NOT required for CAS to work correctly. Thx! On 1/5/2017 2:19 PM, Misagh Moayyed wrote: 1. Keys must be the same across all nodes. 2. Your previous error says something about webflow decryption. Your config has no keys defined for that purpose. -- Misagh From: Yan Zhou <yanand...@gmail.com> <mailto:yanand...@gmail.com> Reply: cas-user@apereo.org <cas-user@apereo.org> <mailto:cas-user@apereo.org> Date: January 5, 2017 at 10:25:09 PM To: CAS Community <cas-user@apereo.org> <mailto:cas-user@apereo.org> Subject: Re: [cas-user] CAS4 flow decode execution error, is this an issue? Hi, this is one server's cas.properties. the other server is very similar other than host name is dcasde02, and it has different signing key and encryption key, since they are unique per server. Is there any misconfiguration you can see? If CAS cluster can work without session affinity, how does one server decrypt a value encrypted by another server using a different key? Thx! server.name=http://dcasde01:8443 server.prefix=${server.name}/cas cas.securityContext.status.access=hasIpAddress('172.18.100.52') cas.securityContext.statistics.access=hasIpAddress('172.18.100.52') cas.themeResolver.defaultThemeName=cas-theme-default cas.viewResolver.basename=default_views host.name=dcasde01.dev.medplus.com tgc.encryption.key=LqWoZsHfEYQZ3KIzWiC_KE8iUoKXK48FgTiIDpTZs80 tgc.signing.key=O7Y5GookFVgYjhTE2sQZPxTeUr07jlcNDIo5G34rSxulP1FPaYs-5_dc_87a5OrOEvAAp0BImQ9sPxuy_MX-jQ hz.cluster.members=dcasde01.dev.medplus.com,dcasde02.dev.medplus.com cas.logout.followServiceRedirects=true tgt.maxTimeToLiveInSeconds=28800 st.timeToKillInSeconds=300 service.registry.config.location=file:///etc/cas-config/cas-management/services On Thursday, January 5, 2017 at 12:49:42 PM UTC-5, sesharaju sv wrote: Hello Yan, you would have missed some configurations in cas.properties. Please share properties so that can we can review and let you know the issue. Thanks Seshu On 5 January 2017 at 20:17, Yan Zhou <yana...@gmail.com> wrote: > Hello, > > When you submit CAS4 login page, sometimes you got “Decode flow execution > error”. For a long time, I have been struggling as to why this happens. I > think we have an answer. > > > This most likely happens in a cluster environment when you have multiple > active CAS4 servers. They each has a different signing key. The webflow > values are encrypted by the CAS server handling request and sent back to CAS > login form, when form is submitted, the encrypted value comes back to CAS > server. Without session affinity, one server can sign the data, but the > other server won’t decrypt it, because the keys are different. > > > > That is my theory, do you think that would cause this error? I did verify > that when server cannot decrypt data, it results in null value, which causes > the following exception. > > > 2016-11-23 15:21:01,746 ERROR [org.jasig.cas.util.BinaryCipherExecutor] - > Unable to correctly extract the Initialization Vector or ciphertext. > > org.apache.shiro.crypto.CryptoException: Unable to correctly extract the > Initialization Vector or ciphertext. > > at > org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:378) > > at > org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:120) > > at > org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:42) > > at > org.jasig.cas.web.flow.CasWebflowCipherBean.decrypt(CasWebflowCipherBean.java:58) > > at > org.jasig.spring.webflow.plugin.EncryptedTranscoder.decode(EncryptedTranscoder.java:105) > > at > org.jasig.spring.webflow.plugin.ClientFlowExecutionRepository.getFlowExecution(ClientFlowExecutionRepository.java:90) > > at > org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:168) > > at > org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:228) > > at > org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959) > > at > org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893) > >
Re: [cas-user] CAS4 flow decode execution error, is this an issue?
1. Keys must be the same across all nodes. 2. Your previous error says something about webflow decryption. Your config has no keys defined for that purpose. -- Misagh From: Yan Zhou <yanand...@gmail.com> Reply: cas-user@apereo.org <cas-user@apereo.org> Date: January 5, 2017 at 10:25:09 PM To: CAS Community <cas-user@apereo.org> Subject: Re: [cas-user] CAS4 flow decode execution error, is this an issue? Hi, this is one server's cas.properties. the other server is very similar other than host name is dcasde02, and it has different signing key and encryption key, since they are unique per server. Is there any misconfiguration you can see? If CAS cluster can work without session affinity, how does one server decrypt a value encrypted by another server using a different key? Thx! server.name=http://dcasde01:8443 server.prefix=${server.name}/cas cas.securityContext.status.access=hasIpAddress('172.18.100.52') cas.securityContext.statistics.access=hasIpAddress('172.18.100.52') cas.themeResolver.defaultThemeName=cas-theme-default cas.viewResolver.basename=default_views host.name=dcasde01.dev.medplus.com tgc.encryption.key=LqWoZsHfEYQZ3KIzWiC_KE8iUoKXK48FgTiIDpTZs80 tgc.signing.key=O7Y5GookFVgYjhTE2sQZPxTeUr07jlcNDIo5G34rSxulP1FPaYs-5_dc_87a5OrOEvAAp0BImQ9sPxuy_MX-jQ hz.cluster.members=dcasde01.dev.medplus.com,dcasde02.dev.medplus.com cas.logout.followServiceRedirects=true tgt.maxTimeToLiveInSeconds=28800 st.timeToKillInSeconds=300 service.registry.config.location=file:///etc/cas-config/cas-management/services On Thursday, January 5, 2017 at 12:49:42 PM UTC-5, sesharaju sv wrote: Hello Yan, you would have missed some configurations in cas.properties. Please share properties so that can we can review and let you know the issue. Thanks Seshu On 5 January 2017 at 20:17, Yan Zhou <yana...@gmail.com> wrote: > Hello, > > When you submit CAS4 login page, sometimes you got “Decode flow execution > error”. For a long time, I have been struggling as to why this happens. I > think we have an answer. > > > This most likely happens in a cluster environment when you have multiple > active CAS4 servers. They each has a different signing key. The webflow > values are encrypted by the CAS server handling request and sent back to CAS > login form, when form is submitted, the encrypted value comes back to CAS > server. Without session affinity, one server can sign the data, but the > other server won’t decrypt it, because the keys are different. > > > > That is my theory, do you think that would cause this error? I did verify > that when server cannot decrypt data, it results in null value, which causes > the following exception. > > > 2016-11-23 15:21:01,746 ERROR [org.jasig.cas.util.BinaryCipherExecutor] - > Unable to correctly extract the Initialization Vector or ciphertext. > > org.apache.shiro.crypto.CryptoException: Unable to correctly extract the > Initialization Vector or ciphertext. > > at > org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:378) > > at > org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:120) > > at > org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:42) > > at > org.jasig.cas.web.flow.CasWebflowCipherBean.decrypt(CasWebflowCipherBean.java:58) > > at > org.jasig.spring.webflow.plugin.EncryptedTranscoder.decode(EncryptedTranscoder.java:105) > > at > org.jasig.spring.webflow.plugin.ClientFlowExecutionRepository.getFlowExecution(ClientFlowExecutionRepository.java:90) > > at > org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:168) > > at > org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:228) > > at > org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959) > > at > org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893) > > at > org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:967) > > at > org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:869) > > at javax.servlet.http.HttpServlet.service(Unknown Source) > > at > org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:843) > > at javax.servlet.http.HttpServlet.service(Unknown Source) > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown > Source) > > at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown > Source) > > at o
Re: [cas-user] CAS4 flow decode execution error, is this an issue?
Hi, this is one server's cas.properties. the other server is very similar other than host name is dcasde02, and it has different signing key and encryption key, since they are unique per server. Is there any misconfiguration you can see? If CAS cluster can work without session affinity, how does one server decrypt a value encrypted by another server using a different key? Thx! server.name=http://dcasde01:8443 server.prefix=${server.name}/cas cas.securityContext.status.access=hasIpAddress('172.18.100.52') cas.securityContext.statistics.access=hasIpAddress('172.18.100.52') cas.themeResolver.defaultThemeName=cas-theme-default cas.viewResolver.basename=default_views host.name=dcasde01.dev.medplus.com tgc.encryption.key=LqWoZsHfEYQZ3KIzWiC_KE8iUoKXK48FgTiIDpTZs80 tgc.signing.key=O7Y5GookFVgYjhTE2sQZPxTeUr07jlcNDIo5G34rSxulP1FPaYs-5_dc_87a5OrOEvAAp0BImQ9sPxuy_MX-jQ hz.cluster.members=dcasde01.dev.medplus.com,dcasde02.dev.medplus.com cas.logout.followServiceRedirects=true tgt.maxTimeToLiveInSeconds=28800 st.timeToKillInSeconds=300 service.registry.config.location=file:///etc/cas-config/cas-management/services On Thursday, January 5, 2017 at 12:49:42 PM UTC-5, sesharaju sv wrote: > > Hello Yan, > > you would have missed some configurations in cas.properties. Please > share properties so that can we can review and let you know the issue. > > Thanks > Seshu > > On 5 January 2017 at 20:17, Yan Zhou> wrote: > > Hello, > > > > When you submit CAS4 login page, sometimes you got “Decode flow > execution > > error”. For a long time, I have been struggling as to why this happens. > I > > think we have an answer. > > > > > > This most likely happens in a cluster environment when you have multiple > > active CAS4 servers. They each has a different signing key. The webflow > > values are encrypted by the CAS server handling request and sent back to > CAS > > login form, when form is submitted, the encrypted value comes back to > CAS > > server. Without session affinity, one server can sign the data, but the > > other server won’t decrypt it, because the keys are different. > > > > > > > > That is my theory, do you think that would cause this error? I did > verify > > that when server cannot decrypt data, it results in null value, which > causes > > the following exception. > > > > > > 2016-11-23 15:21:01,746 ERROR [org.jasig.cas.util.BinaryCipherExecutor] > - > > Unable to correctly extract the Initialization Vector or ciphertext. > > > > org.apache.shiro.crypto.CryptoException: Unable to correctly extract the > > Initialization Vector or ciphertext. > > > > at > > > org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:378) > > > > at > > > org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:120) > > > > > at > > > org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:42) > > > > > at > > > org.jasig.cas.web.flow.CasWebflowCipherBean.decrypt(CasWebflowCipherBean.java:58) > > > > > > at > > > org.jasig.spring.webflow.plugin.EncryptedTranscoder.decode(EncryptedTranscoder.java:105) > > > > > > at > > > org.jasig.spring.webflow.plugin.ClientFlowExecutionRepository.getFlowExecution(ClientFlowExecutionRepository.java:90) > > > > > > at > > > org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:168) > > > > > > at > > > org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:228) > > > > > > at > > > org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959) > > > > > > at > > > org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893) > > > > > > at > > > org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:967) > > > > > > at > > > org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:869) > > > > > > at javax.servlet.http.HttpServlet.service(Unknown Source) > > > > at > > > org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:843) > > > > > > at javax.servlet.http.HttpServlet.service(Unknown Source) > > > > at > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown > > Source) > > > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown > > Source) > > > > at org.apache.tomcat.websocket.server.WsFilter.doFilter(Unknown > > Source) > > > > at > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown > > Source) > > > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown > > Source) > > > > at > > >
Re: [cas-user] CAS4 flow decode execution error, is this an issue?
Hello Yan, you would have missed some configurations in cas.properties. Please share properties so that can we can review and let you know the issue. Thanks Seshu On 5 January 2017 at 20:17, Yan Zhouwrote: > Hello, > > When you submit CAS4 login page, sometimes you got “Decode flow execution > error”. For a long time, I have been struggling as to why this happens. I > think we have an answer. > > > This most likely happens in a cluster environment when you have multiple > active CAS4 servers. They each has a different signing key. The webflow > values are encrypted by the CAS server handling request and sent back to CAS > login form, when form is submitted, the encrypted value comes back to CAS > server. Without session affinity, one server can sign the data, but the > other server won’t decrypt it, because the keys are different. > > > > That is my theory, do you think that would cause this error? I did verify > that when server cannot decrypt data, it results in null value, which causes > the following exception. > > > 2016-11-23 15:21:01,746 ERROR [org.jasig.cas.util.BinaryCipherExecutor] - > Unable to correctly extract the Initialization Vector or ciphertext. > > org.apache.shiro.crypto.CryptoException: Unable to correctly extract the > Initialization Vector or ciphertext. > > at > org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:378) > > at > org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:120) > > at > org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:42) > > at > org.jasig.cas.web.flow.CasWebflowCipherBean.decrypt(CasWebflowCipherBean.java:58) > > at > org.jasig.spring.webflow.plugin.EncryptedTranscoder.decode(EncryptedTranscoder.java:105) > > at > org.jasig.spring.webflow.plugin.ClientFlowExecutionRepository.getFlowExecution(ClientFlowExecutionRepository.java:90) > > at > org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:168) > > at > org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:228) > > at > org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959) > > at > org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893) > > at > org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:967) > > at > org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:869) > > at javax.servlet.http.HttpServlet.service(Unknown Source) > > at > org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:843) > > at javax.servlet.http.HttpServlet.service(Unknown Source) > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown > Source) > > at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown > Source) > > at org.apache.tomcat.websocket.server.WsFilter.doFilter(Unknown > Source) > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown > Source) > > at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown > Source) > > at > org.jasig.cas.security.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:227) > >at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown > Source) > > > > at > org.jasig.cas.security.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:250) > > at > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344) > > at > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261) > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown > Source) > > at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown > Source) > > at > org.jasig.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:62) > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown > Source) > > at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown > Source) > > at > org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:85) > > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) > > at > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344) > > at > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261) > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown > Source) > > at