[cas-user] CAS 4.2.2 Distributed Issue - NullPointerException - Unable to correctly extract the Initialization Vector

[John Rellis]

Hey folks,

Using cas 4.2.2, I am seeing a strange problem that is throwing a Null pointer and causing an "Unable to correctly extract the Initialization Vector or ciphertext." Exception, full exception at the end of the post.

The strange thing is, this only happens when the two instances in the cluster are running, they share a hazelcast ticket registry.  If only one instance is running, we don't seem to have this exception.  It also only seems to be happening on one handler, not the other, which is weird.

Does anyone have any pointers?

Thanks,

John

2016-11-07 06:50:52,266 ERROR [org.jasig.cas.util.WebflowCipherExecutor] - Unable to correctly extract the Initialization Vector or ciphertext.

org.apache.shiro.crypto.CryptoException: Unable to correctly extract the Initialization Vector or ciphertext.

at org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:378)

at org.jasig.cas.util.BinaryCipherExecutor.decode_aroundBody2(BinaryCipherExecutor.java:102)

at org.jasig.cas.util.BinaryCipherExecutor$AjcClosure3.run(BinaryCipherExecutor.java:1)

at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)

at org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44)

at org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:96)

at org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:1)

at org.jasig.cas.web.flow.CasWebflowCipherBean.decrypt_aroundBody4(CasWebflowCipherBean.java:44)

at org.jasig.cas.web.flow.CasWebflowCipherBean$AjcClosure5.run(CasWebflowCipherBean.java:1)

at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)

at org.jasig.inspektr.aspect.TraceLogAspect.traceMethod(TraceLogAspect.java:44)

at org.jasig.cas.web.flow.CasWebflowCipherBean.decrypt(CasWebflowCipherBean.java:43)

at org.jasig.spring.webflow.plugin.EncryptedTranscoder.decode(EncryptedTranscoder.java:105)

at org.jasig.spring.webflow.plugin.ClientFlowExecutionRepository.getFlowExecution(ClientFlowExecutionRepository.java:90)

at org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:168)

at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:228)

at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)

at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)

at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)

at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:872)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)

at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)

at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)

at org.jasig.cas.security.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:227)

at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)

at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)

at org.jasig.cas.security.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:250)

at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)

at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)

at org.jasig.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:62)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)

at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121)

at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)

at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)

at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)

at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)

at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)

at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:522)

at org.apache.coyote.ajp.AbstractAjpProcessor.process(AbstractAjpProcessor.java:868)

at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:672)

at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1502)

at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1458)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

at java.lang.Thread.run(Thread.java:745)

Caused by: java.lang.NullPointerException

at java.lang.System.arraycopy(Native Method)

at org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:370)

... 62 more

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/eeb29ea5-752d-4143-ab1d-5d00c73a54f1%40apereo.org.

[John Rellis]

Just to add,

This seems to be only happening on our QA environments and the only difference I can think of is the QA systems are using self signed certs whereas production systems are not.

That might trigger something in someones brain maybe :)

Thanks,

John

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a6b1004d-35e4-4c70-ab30-c93b955e2b88%40apereo.org.

[liu chenghai]

I have the same problem and don't resolve

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d79d88a0-f314-438e-a87b-5d076d338011%40apereo.org.

[Colin Wilkinson]

We are getting the same issue in production, did you manage to solve this

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1076d175-4bb0-43e5-b1bb-0e88701f7a34%40apereo.org.

[John Rellis]

Unfortunately not. I am no longer on the project either.

On Mon, 12 Dec 2016, 04:54 Colin Wilkinson, <wilc...@gmail.com> wrote:

We are getting the same issue in production, did you manage to solve this

On Wednesday, 23 November 2016 17:18:34 UTC+11, liu chenghai wrote:

I have the same problem and don't resolve

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---

You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/AV-hyX0gKWE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1076d175-4bb0-43e5-b1bb-0e88701f7a34%40apereo.org.

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CADRA4bWoRxAL5zJKH6mH9nvOHtEV72iOsEAxO1pDkcmcfY6Xyw%40mail.gmail.com.

[Kartik Mehta]

Basic stuff, but I hope the value of tgc.signing.key and tgc.encryption.key are set to the same value in all your CAS nodes in the cluster ?

regards,

Kartik

On Mon, Dec 12, 2016 at 10:24 AM, Colin Wilkinson <wilc...@gmail.com> wrote:

We are getting the same issue in production, did you manage to solve this

On Wednesday, 23 November 2016 17:18:34 UTC+11, liu chenghai wrote:

I have the same problem and don't resolve

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1076d175-4bb0-43e5-b1bb-0e88701f7a34%40apereo.org.

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGg9WmwnxapkAMR%3DR5WHNnKrHZPCpEd%3D4PFhmAj-yzBgGiOFXw%40mail.gmail.com.

[144664...@gmail.com]

This problem is how to solve, can tell you no, thank you

在 2016年11月7日星期一 UTC+8下午11:32:22，John Rellis写道：

[Solomon Tam]

It seems the problem is casued by CAS failed to verify the "execution" value.

I am having this problem when there are multiple nodes of CAS and I have resolved this problem by setting webflow.encryption.key and webflow.signing.key in cas.properties.

According to CAS documentation, If keys are left undefined, on startup CAS will notice that no keys are defined and it will appropriately generate keys for you automatically. 

https://apereo.github.io/cas/4.2.x/installation/Webflow-Customization.html#webflow-session

Kartik Mehta於 2016年12月12日星期一 UTC+8下午9時46分52秒寫道：

Basic stuff, but I hope the value of tgc.signing.key and tgc.encryption.key are set to the same value in all your CAS nodes in the cluster ?

regards,

Kartik

On Mon, Dec 12, 2016 at 10:24 AM, Colin Wilkinson <wilc...@gmail.com> wrote:

We are getting the same issue in production, did you manage to solve this

On Wednesday, 23 November 2016 17:18:34 UTC+11, liu chenghai wrote:

I have the same problem and don't resolve

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1076d175-4bb0-43e5-b1bb-0e88701f7a34%40apereo.org.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG

---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1127290e-a3ae-4fe0-b125-4f4b918b1c6f%40apereo.org.