CAS4 flow decode execution error, is this an issue?

481 views
Skip to first unread message

Yan Zhou

unread,
Jan 5, 2017, 9:47:24 AM1/5/17
to CAS Community
Hello, 

When you submit CAS4 login page, sometimes you got “Decode flow execution error”. For a long time, I have been struggling as to why this happens. I think we have an answer.


This most likely happens in a cluster environment when you have multiple active CAS4 servers. They each has a different signing key.  The webflow values are encrypted by the CAS server handling request and sent back to CAS login form, when form is submitted, the encrypted value comes back to CAS server.  Without session affinity, one server can sign the data, but the other server won’t decrypt it, because the keys are different.

 

That is my theory, do you think that would cause this error?   I did verify that when server cannot decrypt data, it results in null value, which causes the following exception. 


2016-11-23 15:21:01,746 ERROR [org.jasig.cas.util.BinaryCipherExecutor] - Unable to correctly extract the Initialization Vector or ciphertext.

org.apache.shiro.crypto.CryptoException: Unable to correctly extract the Initialization Vector or ciphertext.

        at org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:378)

        at org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:120)

        at org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:42)

        at org.jasig.cas.web.flow.CasWebflowCipherBean.decrypt(CasWebflowCipherBean.java:58)

        at org.jasig.spring.webflow.plugin.EncryptedTranscoder.decode(EncryptedTranscoder.java:105)

        at org.jasig.spring.webflow.plugin.ClientFlowExecutionRepository.getFlowExecution(ClientFlowExecutionRepository.java:90)

        at org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:168)

        at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:228)

        at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)

        at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)

        at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:967)

        at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:869)

        at javax.servlet.http.HttpServlet.service(Unknown Source)

        at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:843)

        at javax.servlet.http.HttpServlet.service(Unknown Source)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown Source)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown Source)

        at org.apache.tomcat.websocket.server.WsFilter.doFilter(Unknown Source)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown Source)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown Source)

        at org.jasig.cas.security.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:227)

       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown Source)

 

        at org.jasig.cas.security.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:250)

        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)

        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown Source)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown Source)

        at org.jasig.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:62)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown Source)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown Source)

        at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:85)

        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)

        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown Source)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown Source)

        at org.apache.catalina.core.StandardWrapperValve.invoke(Unknown Source)

        at org.apache.catalina.core.StandardContextValve.invoke(Unknown Source)

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Unknown Source)

        at org.apache.catalina.core.StandardHostValve.invoke(Unknown Source)

        at org.apache.catalina.valves.ErrorReportValve.invoke(Unknown Source)

        at org.apache.catalina.valves.AccessLogValve.invoke(Unknown Source)

        at org.apache.catalina.valves.RemoteIpValve.invoke(Unknown Source)

        at org.apache.catalina.core.StandardEngineValve.invoke(Unknown Source)

        at org.apache.catalina.connector.CoyoteAdapter.service(Unknown Source)

        at org.apache.coyote.http11.AbstractHttp11Processor.process(Unknown Source)

        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(Unknown Source)

        at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(Unknown Source)

        at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(Unknown Source)

        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(Unknown Source)

        at java.lang.Thread.run(Thread.java:745)

Caused by: java.lang.NullPointerException

        at java.lang.System.arraycopy(Native Method)

        at org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:370)

        ... 53 more

                              


Thx,

Yan

sesharaju sv

unread,
Jan 5, 2017, 12:49:42 PM1/5/17
to cas-...@apereo.org
Hello Yan,

you would have missed some configurations in cas.properties. Please
share properties so that can we can review and let you know the issue.

Thanks
Seshu
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines:
> https://apereo.github.io/cas/Mailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+u...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/765dfc4c-70bd-4141-bf87-8c1c983fff92%40apereo.org.



--
Venkata S Sadhu
India (Mobile) : +91 9850438062
USA (VOIP) : +1 330 984 0330
Pune Maharastra
INDIA

Yan Zhou

unread,
Jan 5, 2017, 1:55:00 PM1/5/17
to CAS Community

Hi, 

this is one server's cas.properties.  the other server is very similar other than host name is dcasde02, and it has different signing key and encryption key, since they are unique per server.

Is there any misconfiguration you can see?   If CAS cluster can work without session affinity, how does one server decrypt a value encrypted by another server using a different key?

Thx!

server.prefix=${server.name}/cas
cas.securityContext.status.access=hasIpAddress('172.18.100.52')
cas.securityContext.statistics.access=hasIpAddress('172.18.100.52')
cas.themeResolver.defaultThemeName=cas-theme-default
cas.viewResolver.basename=default_views
tgc.encryption.key=LqWoZsHfEYQZ3KIzWiC_KE8iUoKXK48FgTiIDpTZs80
tgc.signing.key=O7Y5GookFVgYjhTE2sQZPxTeUr07jlcNDIo5G34rSxulP1FPaYs-5_dc_87a5OrOEvAAp0BImQ9sPxuy_MX-jQ
cas.logout.followServiceRedirects=true
tgt.maxTimeToLiveInSeconds=28800
st.timeToKillInSeconds=300
service.registry.config.location=file:///etc/cas-config/cas-management/services

Misagh Moayyed

unread,
Jan 5, 2017, 2:19:44 PM1/5/17
to cas-...@apereo.org
1. Keys must be the same across all nodes. 
2. Your previous error says something about webflow decryption. Your config has no keys defined for that purpose. 

-- 
Misagh

Yan Zhou

unread,
Jan 5, 2017, 2:41:39 PM1/5/17
to cas-...@apereo.org, Misagh Moayyed
I see.  There are two sets of keys. I am missing  webflow.xxxx.key

ALL nodes SHARE the same key. For some reason, I thought each node will have a unique key, but obviously I was wrong.

So, session affinity is NOT required for CAS to work correctly.

Thx!

Misagh Moayyed

unread,
Jan 5, 2017, 2:53:36 PM1/5/17
to cas-...@apereo.org
Not unless you are doing OAuth or OpenID Connect and not unless you switch to a server-back session storage for webflow (which you probably can’t in 4 anyways)


So, session affinity is NOT required for CAS to work correctly.

Thx!


On 1/5/2017 2:19 PM, Misagh Moayyed wrote:
Reply all
Reply to author
Forward
0 new messages