org.jasig.cas.util.NoOpCipherExecutor does no encryption and may NOT be safe in a production environment. Consider using other choices
148 views
Skip to first unread message
satnam
Dec 8, 2016, 10:13:58 AM12/8/16
to CAS Community
Hello, even when I am trying to use default
deployerConfigContext.xml and I am getting warining org.jasig.cas.util.NoOpCipherExecutor does no encryption and may NOT be safe in a production environment. Consider using other choices. How can I reference other options?
In deployerConfigContext.xml,
<alias name="tgcCipherExecutor" alias="defaultCookieCipherExecutor" />
To disable the cipher configuration for the SSO session cookie, we can include following two lines in deployerConfigContext.xml, but to to enable it? if it is enabled by default, then why I am getting warning?
https://apereo.github.io/cas/4.2.x/installation/Configuring-SSO-Session-Cookie.html
Thanks for help
===============
2016-12-06 07:26:46 Commons Daemon procrun stdout initialized
2016-12-06 07:27:06,249 INFO [org.jasig.cas.support.saml.SamlServletContextListener] - <Starting up servlet application context...>
2016-12-06 07:27:06,405 INFO [org.jasig.cas.CasEnvironmentContextListener] - <
******************** Welcome to CAS *******************
CAS Version: 4.2.7
Build Date/Time: 1969-12-31T16:00:00.000-08:00
Java Home: E:\jre8u112
Java Vendor: Oracle Corporation
Java Version: 1.8.0_112
OS Architecture: amd64
OS Name: Windows Server 2008 R2
OS Version: 6.1
*******************************************************
>
2016-12-06 07:27:13,192 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - <Loaded 110 services from gov.ca.post.PostServiceRegistryDaoImpl@7b6bb8c9.>
2016-12-06 07:27:13,597 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - <Services manager will reload service definitions every 60 seconds>
2016-12-06 07:27:16,359 INFO [org.jasig.cas.ServiceRegistryInitializer] - <The service registry database will not be initialized from default JSON services. If the service registry database is empty, CAS will refuse to authenticate services until service definitions are added to the database.>
2016-12-06 07:27:16,452 INFO [org.jasig.cas.ticket.registry.TicketRegistryCleaner] - <Preparing to schedule job to clean up after tickets...>
2016-12-06 07:27:16,452 INFO [org.jasig.cas.ticket.registry.TicketRegistryCleaner] - <TicketRegistryCleaner will clean tickets every 2 minutes>
2016-12-06 07:27:16,546 WARN [org.jasig.cas.util.NoOpCipherExecutor] - <[org.jasig.cas.util.NoOpCipherExecutor] does no encryption and may NOT be safe in a production environment. Consider using other choices, such as [org.jasig.cas.util.BaseStringCipherExecutor] that handle encryption, signing and verification of all appropriate values.>
2016-12-06 07:27:16,639 WARN [org.jasig.cas.util.WebflowCipherExecutor] - <Secret key for signing is not defined. CAS will attempt to auto-generate the signing key>
2016-12-06 07:27:16,639 WARN [org.jasig.cas.util.WebflowCipherExecutor] - <Generated signing key Hw0rXiTss7ZAfbKeEFjOrAsaZvxiT0mJKB33zprVHJ4wbiyV_P7IVdWGAvhjIz12ndI_dOVTlrynEbTZUaMhyg of size 512. The generated key MUST be added to CAS settings.>
2016-12-06 07:27:16,639 WARN [org.jasig.cas.util.WebflowCipherExecutor] - <No encryption key is defined. CAS will attempt to auto-generate keys>
2016-12-06 07:27:16,639 WARN [org.jasig.cas.util.WebflowCipherExecutor] - <Generated encryption key GKHpOuzwiPnSianW of size 16. The generated key MUST be added to CAS settings.>
2016-12-06 07:27:16,873 INFO [org.jasig.cas.support.saml.SamlServletContextListener] - <Initializing SamlServletContextListener root application context>
2016-12-06 07:27:16,873 INFO [org.jasig.cas.support.saml.SamlServletContextListener] - <Initialized SamlServletContextListener root application context successfully>
2016-12-06 07:27:16,873 INFO [org.jasig.cas.support.saml.SamlServletContextListener] - <Initializing SamlServletContextListener servlet application context>
2016-12-06 07:27:17,341 INFO [org.jasig.cas.support.saml.SamlServletContextListener] - <Initialized SamlServletContextListener servlet application context successfully>
deployerConfigContext.xml and I am getting warining org.jasig.cas.util.NoOpCipherExecutor does no encryption and may NOT be safe in a production environment. Consider using other choices. How can I reference other options?
In deployerConfigContext.xml,
<alias name="tgcCipherExecutor" alias="defaultCookieCipherExecutor" />
To disable the cipher configuration for the SSO session cookie, we can include following two lines in deployerConfigContext.xml, but to to enable it? if it is enabled by default, then why I am getting warning?
https://apereo.github.io/cas/4.2.x/installation/Configuring-SSO-Session-Cookie.html
<alias name="noOpCookieValueManager" alias="defaultCookieValueManager" /> <alias name="noOpCipherExecutor" alias="defaultCookieCipherExecutor" />
Thanks for help
===============
2016-12-06 07:26:46 Commons Daemon procrun stdout initialized
2016-12-06 07:27:06,249 INFO [org.jasig.cas.support.saml.SamlServletContextListener] - <Starting up servlet application context...>
2016-12-06 07:27:06,405 INFO [org.jasig.cas.CasEnvironmentContextListener] - <
******************** Welcome to CAS *******************
CAS Version: 4.2.7
Build Date/Time: 1969-12-31T16:00:00.000-08:00
Java Home: E:\jre8u112
Java Vendor: Oracle Corporation
Java Version: 1.8.0_112
OS Architecture: amd64
OS Name: Windows Server 2008 R2
OS Version: 6.1
*******************************************************
>
2016-12-06 07:27:13,192 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - <Loaded 110 services from gov.ca.post.PostServiceRegistryDaoImpl@7b6bb8c9.>
2016-12-06 07:27:13,597 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - <Services manager will reload service definitions every 60 seconds>
2016-12-06 07:27:16,359 INFO [org.jasig.cas.ServiceRegistryInitializer] - <The service registry database will not be initialized from default JSON services. If the service registry database is empty, CAS will refuse to authenticate services until service definitions are added to the database.>
2016-12-06 07:27:16,452 INFO [org.jasig.cas.ticket.registry.TicketRegistryCleaner] - <Preparing to schedule job to clean up after tickets...>
2016-12-06 07:27:16,452 INFO [org.jasig.cas.ticket.registry.TicketRegistryCleaner] - <TicketRegistryCleaner will clean tickets every 2 minutes>
2016-12-06 07:27:16,546 WARN [org.jasig.cas.util.NoOpCipherExecutor] - <[org.jasig.cas.util.NoOpCipherExecutor] does no encryption and may NOT be safe in a production environment. Consider using other choices, such as [org.jasig.cas.util.BaseStringCipherExecutor] that handle encryption, signing and verification of all appropriate values.>
2016-12-06 07:27:16,639 WARN [org.jasig.cas.util.WebflowCipherExecutor] - <Secret key for signing is not defined. CAS will attempt to auto-generate the signing key>
2016-12-06 07:27:16,639 WARN [org.jasig.cas.util.WebflowCipherExecutor] - <Generated signing key Hw0rXiTss7ZAfbKeEFjOrAsaZvxiT0mJKB33zprVHJ4wbiyV_P7IVdWGAvhjIz12ndI_dOVTlrynEbTZUaMhyg of size 512. The generated key MUST be added to CAS settings.>
2016-12-06 07:27:16,639 WARN [org.jasig.cas.util.WebflowCipherExecutor] - <No encryption key is defined. CAS will attempt to auto-generate keys>
2016-12-06 07:27:16,639 WARN [org.jasig.cas.util.WebflowCipherExecutor] - <Generated encryption key GKHpOuzwiPnSianW of size 16. The generated key MUST be added to CAS settings.>
2016-12-06 07:27:16,873 INFO [org.jasig.cas.support.saml.SamlServletContextListener] - <Initializing SamlServletContextListener root application context>
2016-12-06 07:27:16,873 INFO [org.jasig.cas.support.saml.SamlServletContextListener] - <Initialized SamlServletContextListener root application context successfully>
2016-12-06 07:27:16,873 INFO [org.jasig.cas.support.saml.SamlServletContextListener] - <Initializing SamlServletContextListener servlet application context>
2016-12-06 07:27:17,341 INFO [org.jasig.cas.support.saml.SamlServletContextListener] - <Initialized SamlServletContextListener servlet application context successfully>
caichu...@gmail.com
May 11, 2017, 12:18:09 AM5/11/17
to CAS Community
Hi, have you solved this? i am using 4.2.7, also notice this warning, is this a bug considering that cookie cipher has been enabled by default?
在 2016年12月8日星期四 UTC+8下午11:13:58,satnam写道:
在 2016年12月8日星期四 UTC+8下午11:13:58,satnam写道:
satnam
Sep 7, 2017, 5:17:09 PM9/7/17
to CAS Community
i am using 4.2.7 and notice this warning (did not change default setting). I have set tgc.encryption.key and tgc.signing.key
is this a bug in 4.2.7 or I am missing something.
is this a bug in 4.2.7 or I am missing something.
Reply all
Reply to author
Forward
0 new messages