[Token/JWT Tickets] Misleading warnings ?
73 views
Skip to first unread message
Alessandro Moscatelli
Jun 4, 2019, 1:09:16 PM6/4/19
to CAS Community
Both with 5.3.10 and 6.0.4 I am observing strange warnings in my log:
2019-06-04 16:41:13,282 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Encryption is not enabled for [Token/JWT Tickets]. The cipher [RegisteredServiceTokenTicketCipherExecutor] wonly attempt to produce signed objects>
2019-06-04 16:41:13,283 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Signing is not enabled for [Token/JWT Tickets]. The cipher [RegisteredServiceTokenTicketCipherExecutor] willempt to produce plain objects>
2019-06-04 16:41:13,283 WARN [org.apereo.cas.util.cipher.BaseStringCipherExecutor] - <Signing is not enabled for [Token/JWT Tickets]. The cipher [RegisteredServiceTokenTicketCipherExecutor] willempt to produce plain objects>
I don't get what's complaining about.
I defined these global variables in cas.properties :
cas.authn.token.crypto.enabled=true
cas.authn.token.crypto.signingEnabled=true
cas.authn.token.crypto.encryptionEnabled=true
cas.authn.token.crypto.signing.key=${OPTOPLUS_CAS_TOKEN_SIGNING_KEY}
cas.authn.token.crypto.signing.keySize=512
cas.authn.token.crypto.encryption.key=${OPTOPLUS_CAS_TOKEN_ENCRYPTION_KEY}
cas.authn.token.crypto.encryption.keySize=256
cas.authn.token.crypto.alg=A128CBC-HS256
cas.authn.token.crypto.signingEnabled=true
cas.authn.token.crypto.encryptionEnabled=true
cas.authn.token.crypto.signing.key=${OPTOPLUS_CAS_TOKEN_SIGNING_KEY}
cas.authn.token.crypto.signing.keySize=512
cas.authn.token.crypto.encryption.key=${OPTOPLUS_CAS_TOKEN_ENCRYPTION_KEY}
cas.authn.token.crypto.encryption.keySize=256
cas.authn.token.crypto.alg=A128CBC-HS256
Also, I believe (and I DO REALLY HOPE SO) my JWT Tickets are indeed signed and ciphered since my backend use jose4j to verify signature and deciphering :
JsonWebSignature jws = new JsonWebSignature();
jws.setCompactSerialization(bearer);
jws.setKey(signingKey); if (jws.verifySignature()) { JsonWebEncryption jwe = new JsonWebEncryption();
jwe.setCompactSerialization(new String(Base64.decodeBase64(jws.getEncodedPayload()), StandardCharsets.UTF_8));
jwe.setKey(encryptionKey);
JwtClaims claims = JwtClaims.parse(jwe.getPlaintextString());
NumericDate issuedAt = claims.getIssuedAt();
issuedAt.addSeconds(60); if (Objects.nonNull(issuedAt) && issuedAt.isAfter(NumericDate.now())) { String subject = claims.getSubject(); if (StringUtils.isNotBlank(subject)) { CredentialValidationResult validate = this.identityStore.validate(new CallerOnlyCredential(subject)); if (Status.VALID.equals(validate.getStatus())) {
return httpMessageContext.notifyContainerAboutLogin(validate);
} } } }According to:
this.encryptionEnabled = encryptionEnabled || StringUtils.isNotBlank(secretKeyEncryption);
this.signingEnabled = signingEnabled || StringUtils.isNotBlank(secretKeySigning);
this.signingKeySize = signingKeyLength <= 0 ? CipherExecutor.DEFAULT_STRINGABLE_SIGNING_KEY_SIZE : signingKeyLength;
this.encryptionKeySize = encryptionKeyLength <= 0 ? CipherExecutor.DEFAULT_STRINGABLE_ENCRYPTION_KEY_SIZE : encryptionKeyLength;
if (this.encryptionEnabled) {
configureEncryptionParameters(secretKeyEncryption, contentEncryptionAlgorithmIdentifier);
} else {
LOGGER.info("Encryption is not enabled for [{}]. The cipher [{}] will only attempt to produce signed objects",
getName(), getClass().getSimpleName());
}
I can't understand what's happening. I believe encryptionEnabled is cas.authn.token.crypto.encryptionEnabled and secretKeyEncryption should be cas.authn.token.crypto.encryption.key.
Am I missing something ?
Thank you in advance
Robert Kornmesser
Oct 8, 2019, 7:46:05 AM10/8/19
to CAS Community
I'm struggling with the same issue. I've just debugged it and saw that JwtTicketCipherExecutor is instantiated via default constructor which just ignores the cas.properties. Is it normal behaviour? The info message is really misleading.
Reply all
Reply to author
Forward
0 new messages