CAS 4.2.2 Distributed Issue - NullPointerException - Unable to correctly extract the Initialization Vector

649 views
Skip to first unread message

John Rellis

unread,
Nov 7, 2016, 10:32:21 AM11/7/16
to CAS Community
Hey folks,

Using cas 4.2.2, I am seeing a strange problem that is throwing a Null pointer and causing an "Unable to correctly extract the Initialization Vector or ciphertext." Exception, full exception at the end of the post.

The strange thing is, this only happens when the two instances in the cluster are running, they share a hazelcast ticket registry.  If only one instance is running, we don't seem to have this exception.  It also only seems to be happening on one handler, not the other, which is weird.

Does anyone have any pointers?

Thanks,
John


2016-11-07 06:50:52,266 ERROR [org.jasig.cas.util.WebflowCipherExecutor] - Unable to correctly extract the Initialization Vector or ciphertext.

org.apache.shiro.crypto.CryptoException: Unable to correctly extract the Initialization Vector or ciphertext.

at org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:378)

at org.jasig.cas.util.BinaryCipherExecutor.decode_aroundBody2(BinaryCipherExecutor.java:102)

at org.jasig.cas.util.BinaryCipherExecutor$AjcClosure3.run(BinaryCipherExecutor.java:1)

at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)

at org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44)

at org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:96)

at org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:1)

at org.jasig.cas.web.flow.CasWebflowCipherBean.decrypt_aroundBody4(CasWebflowCipherBean.java:44)

at org.jasig.cas.web.flow.CasWebflowCipherBean$AjcClosure5.run(CasWebflowCipherBean.java:1)

at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)

at org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44)

at org.jasig.cas.web.flow.CasWebflowCipherBean.decrypt(CasWebflowCipherBean.java:43)

at org.jasig.spring.webflow.plugin.EncryptedTranscoder.decode(EncryptedTranscoder.java:105)

at org.jasig.spring.webflow.plugin.ClientFlowExecutionRepository.getFlowExecution(ClientFlowExecutionRepository.java:90)

at org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:168)

at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:228)

at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)

at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)

at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)

at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:872)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)

at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)

at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)

at org.jasig.cas.security.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:227)

at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)

at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)

at org.jasig.cas.security.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:250)

at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)

at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)

at org.jasig.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:62)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)

at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121)

at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)

at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)

at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)

at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)

at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)

at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:522)

at org.apache.coyote.ajp.AbstractAjpProcessor.process(AbstractAjpProcessor.java:868)

at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:672)

at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1502)

at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1458)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

at java.lang.Thread.run(Thread.java:745)

Caused by: java.lang.NullPointerException

at java.lang.System.arraycopy(Native Method)

at org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:370)

... 62 more

John Rellis

unread,
Nov 7, 2016, 12:14:47 PM11/7/16
to CAS Community
Just to add,

This seems to be only happening on our QA environments and the only difference I can think of is the QA systems are using self signed certs whereas production systems are not.

That might trigger something in someones brain maybe :)

Thanks,
John

liu chenghai

unread,
Nov 23, 2016, 1:18:34 AM11/23/16
to CAS Community
I have the same problem and don't resolve

Colin Wilkinson

unread,
Dec 11, 2016, 11:54:23 PM12/11/16
to CAS Community
We are getting the same issue in production, did you manage to solve this

John Rellis

unread,
Dec 12, 2016, 8:46:51 AM12/12/16
to CAS Community
Unfortunately not. I am no longer on the project either.

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/AV-hyX0gKWE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1076d175-4bb0-43e5-b1bb-0e88701f7a34%40apereo.org.

Kartik Mehta

unread,
Dec 12, 2016, 8:46:52 AM12/12/16
to cas-...@apereo.org
Basic stuff, but I hope the value of tgc.signing.key and tgc.encryption.key are set to the same value in all your CAS nodes in the cluster ?

regards,
Kartik

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
Reply all
Reply to author
Forward
Message has been deleted
0 new messages