Webflow error in CAS 5.1.4

742 views
Skip to first unread message

Adam Causey

unread,
Jan 4, 2018, 7:22:18 AM1/4/18
to cas-...@apereo.org
I recently rolled out CAS 5.1.4 to our production environment, however we started to see these errors in our logs. We performed a great deal of testing but never encountered this error. Any ideas of what could be causing this?


2018-01-04 07:18:13,905 [ajp-nio-8011-exec-1] ERROR org.apache.catalina.core.ContainerBase.[Tomcat].[localhost].[/cas].[dispatcherServlet] - Servlet.service() for servlet [dispatcherServlet] in context with path [/cas] threw exception [Request processing failed; nested exception is org.springframework.webflow.execution.repository.BadlyFormattedFlowExecutionKeyException: Badly formatted flow execution key 'e2s1', the expected format is '<uuid>_<base64-encoded-flow-state>'] with root cause

org.springframework.webflow.execution.repository.BadlyFormattedFlowExecutionKeyException: Badly formatted flow execution key 'e2s1', the expected format is '<uuid>_<base64-encoded-flow-state>'

at org.apereo.spring.webflow.plugin.ClientFlowExecutionKey.parse(ClientFlowExecutionKey.java:102) ~[spring-webflow-client-repo-1.0.3.jar!/:1.0.3]

at org.apereo.spring.webflow.plugin.ClientFlowExecutionRepository.parseFlowExecutionKey(ClientFlowExecutionRepository.java:74) ~[spring-webflow-client-repo-1.0.3.jar!/:1.0.3]

at org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:164) ~[spring-webflow-2.4.4.RELEASE.jar!/:2.4.4.RELEASE]

at sun.reflect.GeneratedMethodAccessor293.invoke(Unknown Source) ~[?:?]

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_141]

at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_141]

at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:333) ~[spring-aop-4.3.11.RELEASE.jar!/:4.3.11.RELEASE]

at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190) ~[spring-aop-4.3.11.RELEASE.jar!/:4.3.11.RELEASE]

at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157) ~[spring-aop-4.3.11.RELEASE.jar!/:4.3.11.RELEASE]

at org.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:133) ~[spring-aop-4.3.11.RELEASE.jar!/:4.3.11.RELEASE]

at org.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:121) ~[spring-aop-4.3.11.RELEASE.jar!/:4.3.11.RELEASE]

at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) ~[spring-aop-4.3.11.RELEASE.jar!/:4.3.11.RELEASE]

at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213) ~[spring-aop-4.3.11.RELEASE.jar!/:4.3.11.RELEASE]

at com.sun.proxy.$Proxy158.resumeExecution(Unknown Source) ~[?:?]

at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:253) ~[spring-webflow-2.4.4.RELEASE.jar!/:2.4.4.RELEASE]

at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967) ~[spring-webmvc-4.3.11.RELEASE.jar!/:4.3.11.RELEASE]

at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901) ~[spring-webmvc-4.3.11.RELEASE.jar!/:4.3.11.RELEASE]

at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970) ~[spring-webmvc-4.3.11.RELEASE.jar!/:4.3.11.RELEASE]

at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:872) ~[spring-webmvc-4.3.11.RELEASE.jar!/:4.3.11.RELEASE]

at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) ~[javax.servlet-api-3.1.0.jar!/:3.1.0]

at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846) ~[spring-webmvc-4.3.11.RELEASE.jar!/:4.3.11.RELEASE]

at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) ~[javax.servlet-api-3.1.0.jar!/:3.1.0]

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) ~[tomcat-embed-websocket-8.5.20.jar!/:8.5.20]

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.apereo.cas.web.support.AuthenticationCredentialsLocalBinderClearingFilter.doFilter(AuthenticationCredentialsLocalBinderClearingFilter.java:28) ~[cas-server-core-web-5.1.4.jar!/:5.1.4]

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.apereo.cas.security.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:261) ~[cas-server-security-filter-2.0.6.jar!/:2.0.6]

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.apereo.cas.security.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:238) ~[cas-server-security-filter-2.0.6.jar!/:2.0.6]

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.springframework.boot.actuate.trace.WebRequestTraceFilter.doFilterInternal(WebRequestTraceFilter.java:110) ~[spring-boot-actuator-1.5.3.RELEASE.jar!/:1.5.3.RELEASE]

at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.11.RELEASE.jar!/:4.3.11.RELEASE]

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) ~[spring-web-4.3.11.RELEASE.jar!/:4.3.11.RELEASE]

at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.11.RELEASE.jar!/:4.3.11.RELEASE]

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:108) ~[spring-web-4.3.11.RELEASE.jar!/:4.3.11.RELEASE]

at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.11.RELEASE.jar!/:4.3.11.RELEASE]

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81) ~[spring-web-4.3.11.RELEASE.jar!/:4.3.11.RELEASE]

at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.11.RELEASE.jar!/:4.3.11.RELEASE]

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.apereo.cas.logging.web.ThreadContextMDCServletFilter.doFilter(ThreadContextMDCServletFilter.java:90) ~[cas-server-core-logging-5.1.4.jar!/:5.1.4]

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.springframework.boot.actuate.autoconfigure.MetricsFilter.doFilterInternal(MetricsFilter.java:106) ~[spring-boot-actuator-1.5.3.RELEASE.jar!/:1.5.3.RELEASE]

at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.11.RELEASE.jar!/:4.3.11.RELEASE]

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197) ~[spring-web-4.3.11.RELEASE.jar!/:4.3.11.RELEASE]

at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.11.RELEASE.jar!/:4.3.11.RELEASE]

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.apereo.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:64) ~[inspektr-common-1.7.GA.jar!/:1.7.GA]

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:677) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:486) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1457) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_141]

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_141]

at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-embed-core-8.5.20.jar!/:8.5.20]

at java.lang.Thread.run(Thread.java:748) [?:1.8.0_141]



​Thanks!

Adam​

Adam Causey

unread,
Jan 5, 2018, 10:16:47 AM1/5/18
to cas-...@apereo.org
We have kept version 5.1.4 in production, however we still see the errors in the logs. We haven't received any user complaints, and there is no username coming back with the error message.  Does anyone know how I might be able to trace back what page is creating the error?

Misagh Moayyed

unread,
Jan 5, 2018, 11:45:56 AM1/5/18
to cas-...@apereo.org
You have a bad login page. 

Also you're to upgrade to the latest 5.1.x release line. Any patch release that goes out unofficially invalidates its predecessors.

--Misagh

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAN6MV5NW8Zf%2Bv%2BXysmSGkZpQX43SiWPO1hqotdkaf8zuEE3Fow%40mail.gmail.com.

Adam Causey

unread,
Jan 5, 2018, 8:40:58 PM1/5/18
to cas-...@apereo.org
Misagh,


The login page loads fine for users. Is there something on the page that I should check?

Thanks!

Misagh Moayyed

unread,
Jan 8, 2018, 2:39:19 PM1/8/18
to cas-...@apereo.org
This is about a bad webflow execution key, indicated by the execution parameter that is badly provided or parsed. Either you have someone trying to POST to the CAS login endpoint from the outside, or you have someone send you a bad request to a page/endpoint that causes the blowup. Coincidentally, a project I am working on today reported a similar issue and it turned out to be a saml request sent to the CAS logout endpoint (which was wrong to begin with it) You may also want to look at your access-log and see where the requests are coming from. 

Adam Causey

unread,
Jan 11, 2018, 9:34:27 AM1/11/18
to cas-...@apereo.org
Misagh,

I discovered that our app vulnerability scanner is creating the 500 errors with a bad request; however, I believe a better practice would be for CAS to handle these errors and return a 400 (Bad Request) HTTP response code instead of 500, which indicates there is an unhandled exception in the code.

Can CAS be updated to better handle these errors and return a more appropriate response?

Thanks,
Adam

Thanks!

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
 To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/320188926.11848694.1515440355754.JavaMail.zimbra%40unicon.net.

Misagh Moayyed

unread,
Jan 12, 2018, 11:20:21 AM1/12/18
to cas-...@apereo.org
If you mean whether there is a configuration option to do this, then no there isn't. 
Thanks!

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAN6MV5PYbGw%3DpJ2Bgty72AO7Pp4q61Eo4ZvCUHDP1LPbziT1JQ%40mail.gmail.com.

Duane Booher

unread,
Jan 13, 2018, 5:35:04 PM1/13/18
to CAS Community
We also upgraded from CAS 4.x to in this case CAS 5.1.6, and have been getting a bunch of these errors:

2018-01-13 11:09:00,018 ERROR [org.springframework.boot.web.support.ErrorPageFilter] - <Forwarding to error page from request [/login] due to exception [Badly formatted flow execution key 'e1s2', the expected format is '<uuid>_<base64-encoded-flow-state>']>

Some of the requesters are external ip, and some are internal. We contacted a couple of users and found at least two usage case that seemed to trigger these errors.

The first case was that the user was signing on for the day, opened their browser which auto re-opened  about 20 browser tabs (probably from CAS4) and proceeded to try one or two of these apps which threw this error.

A second case, a user had previously saved a deep link to an application which threw this error.

After seeing Misagh's explanation we are now less concerned about these errors.

Duane
Reply all
Reply to author
Forward
0 new messages