AbstractRememberMeManager and javax.crypto.IllegalBlockSizeException

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

AbstractRememberMeManager and javax.crypto.IllegalBlockSizeException

Brad Whitaker-4
I'm having a bit of trouble running Jsecurity (built with revision
736939). I'm using the Grails plugin (updated in my local environment)
and running Tomcat 6.

I'm having several issues that I can't completely describe at this
point, but I'm seeing the following output in my logs. Is this just a
transient issue, or is it problem with the Jsecurity code (or my
environment)?

Are there any 'upgrade' issues related to the rememberMe cookies? (I was
having trouble logging in until I deleted cookies in my browser.)

Thanks,

Brad


01/26 16:52:04 INFO  org.jsecurity.web.attr.CookieAttribute  - Found
string value
[clJgEjFZVuRRN5lCpInkOsawSaKK4hLwegZK/QgR1Thk380v5wL9pA1NZo7QHr7erlnry1vt2AqIyM8Fj2HBCsl1lierxE9EJ1typI2GpgMeG+HmceNdrlN6KGh4AmjLG3zCUPo8E+QzGVs/EO3PIAGyYYtuYbW++oJDr5xfY9DwK4Omq5GijZSSmdpOHiYelPMa1XLwT0D/kNCUm6EVfG6TKwxViNtGdyzknY7abNU7ucw2UWfjFe24hH0SL0hZMXjPQYtMnPl5J5qfjU4EXX1a/Ijn0IKUEk5BmY+ipc6irMI/Rrmumr7XSSncSHq2cpyNbwJBykFX5s/ydB64hbMenS+LhbUvnQBNt8Xkjyc+IrzntDuVGH4IGfnRIAOwDkU6EZPQ4v36wbd8IB3kUFW1/1z6ZvS4jsIgMA3TS2xMjhGB8FWnIAFUoCkjdbD5IIrhYORnMFPMQ/6A+3yPnLCDQ3UIeZ5SB9Ol7a1oMIw]
from HttpServletRequest Cookie [rememberMe]
01/26 16:52:04 WARN  org.jsecurity.mgt.AbstractRememberMeManager  -
There was a failure while trying to retrieve remembered principals.  
This could be due to a configuration problem or corrupted principals.  
This could also be due to a recently changed encryption key.  The
remembered identity will be forgotten and not used for this request.
java.lang.IllegalStateException: Unable to crypt bytes with cipher
[javax.crypto.Cipher@cb577].
        at
org.jsecurity.crypto.BlowfishCipher.crypt(BlowfishCipher.java:194)
        at
org.jsecurity.crypto.BlowfishCipher.crypt(BlowfishCipher.java:219)
        at
org.jsecurity.crypto.BlowfishCipher.decrypt(BlowfishCipher.java:141)
        at
org.jsecurity.mgt.AbstractRememberMeManager.decrypt(AbstractRememberMeManager.java:251)
        at
org.jsecurity.mgt.AbstractRememberMeManager.getRememberedPrincipals(AbstractRememberMeManager.java:198)
        at
org.jsecurity.mgt.DefaultSecurityManager.getRememberedIdentity(DefaultSecurityManager.java:411)
        at
org.jsecurity.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:212)
        at
org.jsecurity.mgt.DefaultSecurityManager.getSubject(DefaultSecurityManager.java:426)
        at
org.jsecurity.mgt.DefaultSecurityManager.getSubject(DefaultSecurityManager.java:433)
        at
org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:369)
        at
org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:183)
        at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at
org.codehaus.groovy.grails.web.servlet.mvc.GrailsWebRequestFilter.doFilterInternal(GrailsWebRequestFilter.java:65)
        at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
        at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:96)
        at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
        at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:236)
        at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
        at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
        at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
        at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
        at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
        at
org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190)
        at
org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:283)
        at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:767)
        at
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:697)
        at
org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:889)
        at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690)
        at java.lang.Thread.run(Thread.java:619)
Caused by: javax.crypto.IllegalBlockSizeException: Input length must be
multiple of 8 when decrypting with padded cipher
        at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
        at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
        at com.sun.crypto.provider.BlowfishCipher.engineDoFinal(DashoA13*..)
        at javax.crypto.Cipher.doFinal(DashoA13*..)
        at
org.jsecurity.crypto.BlowfishCipher.crypt(BlowfishCipher.java:191)
        ... 35 more




Reply | Threaded
Open this post in threaded view
|

Re: AbstractRememberMeManager and javax.crypto.IllegalBlockSizeException

pledbrook
> Caused by: javax.crypto.IllegalBlockSizeException: Input length must be
> multiple of 8 when decrypting with padded cipher
>       at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
>       at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
>       at com.sun.crypto.provider.BlowfishCipher.engineDoFinal(DashoA13*..)
>       at javax.crypto.Cipher.doFinal(DashoA13*..)
>       at org.jsecurity.crypto.BlowfishCipher.crypt(BlowfishCipher.java:191)
>       ... 35 more

I have seen this when the "key" used for the encryption wasn't 8
characters in length. I can't remember much about it, but I vaguely
remember "secret" being used, which of course has only 6 characters.
Sorry, my memory's a bit hazy on this front, but this might be enough
information to trigger a eureka moment in someone else :)

Cheers,

Peter
Reply | Threaded
Open this post in threaded view
|

Re: AbstractRememberMeManager and javax.crypto.IllegalBlockSizeException

Les Hazlewood-2
In reply to this post by Brad Whitaker-4
Hi Brad,

I don't believe anyone has changed the Cipher implementation in a long time, so I'm not exactly sure how this happened.  Are you using JSecurity's default Key?  or did you specify your own?

Regards,

Les

On Mon, Jan 26, 2009 at 6:04 PM, Brad Whitaker <[hidden email]> wrote:
I'm having a bit of trouble running Jsecurity (built with revision 736939). I'm using the Grails plugin (updated in my local environment) and running Tomcat 6.

I'm having several issues that I can't completely describe at this point, but I'm seeing the following output in my logs. Is this just a transient issue, or is it problem with the Jsecurity code (or my environment)?

Are there any 'upgrade' issues related to the rememberMe cookies? (I was having trouble logging in until I deleted cookies in my browser.)

Thanks,

Brad


01/26 16:52:04 INFO  org.jsecurity.web.attr.CookieAttribute  - Found string value [clJgEjFZVuRRN5lCpInkOsawSaKK4hLwegZK/QgR1Thk380v5wL9pA1NZo7QHr7erlnry1vt2AqIyM8Fj2HBCsl1lierxE9EJ1typI2GpgMeG+HmceNdrlN6KGh4AmjLG3zCUPo8E+QzGVs/EO3PIAGyYYtuYbW++oJDr5xfY9DwK4Omq5GijZSSmdpOHiYelPMa1XLwT0D/kNCUm6EVfG6TKwxViNtGdyzknY7abNU7ucw2UWfjFe24hH0SL0hZMXjPQYtMnPl5J5qfjU4EXX1a/Ijn0IKUEk5BmY+ipc6irMI/Rrmumr7XSSncSHq2cpyNbwJBykFX5s/ydB64hbMenS+LhbUvnQBNt8Xkjyc+IrzntDuVGH4IGfnRIAOwDkU6EZPQ4v36wbd8IB3kUFW1/1z6ZvS4jsIgMA3TS2xMjhGB8FWnIAFUoCkjdbD5IIrhYORnMFPMQ/6A+3yPnLCDQ3UIeZ5SB9Ol7a1oMIw] from HttpServletRequest Cookie [rememberMe]
01/26 16:52:04 WARN  org.jsecurity.mgt.AbstractRememberMeManager  - There was a failure while trying to retrieve remembered principals.  This could be due to a configuration problem or corrupted principals.  This could also be due to a recently changed encryption key.  The remembered identity will be forgotten and not used for this request.
java.lang.IllegalStateException: Unable to crypt bytes with cipher [javax.crypto.Cipher@cb577].
      at org.jsecurity.crypto.BlowfishCipher.crypt(BlowfishCipher.java:194)
      at org.jsecurity.crypto.BlowfishCipher.crypt(BlowfishCipher.java:219)
      at org.jsecurity.crypto.BlowfishCipher.decrypt(BlowfishCipher.java:141)
      at org.jsecurity.mgt.AbstractRememberMeManager.decrypt(AbstractRememberMeManager.java:251)
      at org.jsecurity.mgt.AbstractRememberMeManager.getRememberedPrincipals(AbstractRememberMeManager.java:198)
      at org.jsecurity.mgt.DefaultSecurityManager.getRememberedIdentity(DefaultSecurityManager.java:411)
      at org.jsecurity.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:212)
      at org.jsecurity.mgt.DefaultSecurityManager.getSubject(DefaultSecurityManager.java:426)
      at org.jsecurity.mgt.DefaultSecurityManager.getSubject(DefaultSecurityManager.java:433)
      at org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:369)
      at org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:183)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.codehaus.groovy.grails.web.servlet.mvc.GrailsWebRequestFilter.doFilterInternal(GrailsWebRequestFilter.java:65)
      at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:96)
      at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
      at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:236)
      at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
      at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190)
      at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:283)
      at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:767)
      at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:697)
      at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:889)
      at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690)
      at java.lang.Thread.run(Thread.java:619)
Caused by: javax.crypto.IllegalBlockSizeException: Input length must be multiple of 8 when decrypting with padded cipher
      at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
      at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
      at com.sun.crypto.provider.BlowfishCipher.engineDoFinal(DashoA13*..)
      at javax.crypto.Cipher.doFinal(DashoA13*..)
      at org.jsecurity.crypto.BlowfishCipher.crypt(BlowfishCipher.java:191)
      ... 35 more





Reply | Threaded
Open this post in threaded view
|

Re: AbstractRememberMeManager and javax.crypto.IllegalBlockSizeException

Brad Whitaker-4
I had omitted jsecurity-ehcache-1.0.0-SNAPSHOT.jar and jsecurity-quartz-1.0.0-SNAPSHOT.jar from the plugin lib directory. (Don't ask me why. I was just guessing.) I added them back in and I am no longer seeing exceptions.

I am seeing this 'info' level log statement a lot, approximately 15 times per web request. Perhaps this should be a 'debug' level statement instead of 'info'.

01/27 19:37:14 INFO  org.jsecurity.web.attr.CookieAttribute  - Found string value [clJgEjFZVuRRN5lCpInkOsawSaKK4hLwegZK/QgR1Thk380v5wL9pA1NZo7QHr7erlnry1vt2AqIyM8Fj2HBCsl1lierxE9EJ1typI2GpgMeG+HmceNdrlN6KGh4AmjLG3zCUPo8E+QzGVs/EO3PIAGyYYtuYbW++oJDr5xfY9DwK4Omq5GijZSSmdpOHiYelPMa1XLwT0D/kNCUm6EVfG6TKwxViNtGdyzknY7abNU7ucw2UWfjFe24hH0SL0hZMXjPQYtMnPl5J5qfjU4EXX1a/Ijn0IKUEk5BmY+ipc6irMI/Rrmumr7XSSncSHq2cpyNbwJBykFX5s/ydB64hbMenS+LhbUvnQBNt8Xkjyc+IrzntDuVGH4IGfnRIAOwDkU6EZPQ4v36wbd8IB3kUFW1/1z6ZvS4jsIgMA3TS2xMjhGB8FWnIPbbveMSpTk43fRjrvTkN88J4Qiz5mxhvtR2s6r2diCpdq57VA2xmPcIHmAf0lQu6j5Rs/rAhH0z] from HttpServletRequest Cookie [rememberMe]

Thanks,

Brad


Les Hazlewood wrote:
Hi Brad,

I don't believe anyone has changed the Cipher implementation in a long time, so I'm not exactly sure how this happened.  Are you using JSecurity's default Key?  or did you specify your own?

Regards,

Les

On Mon, Jan 26, 2009 at 6:04 PM, Brad Whitaker <[hidden email]> wrote:
I'm having a bit of trouble running Jsecurity (built with revision 736939). I'm using the Grails plugin (updated in my local environment) and running Tomcat 6.

I'm having several issues that I can't completely describe at this point, but I'm seeing the following output in my logs. Is this just a transient issue, or is it problem with the Jsecurity code (or my environment)?

Are there any 'upgrade' issues related to the rememberMe cookies? (I was having trouble logging in until I deleted cookies in my browser.)

Thanks,

Brad


01/26 16:52:04 INFO  org.jsecurity.web.attr.CookieAttribute  - Found string value [clJgEjFZVuRRN5lCpInkOsawSaKK4hLwegZK/QgR1Thk380v5wL9pA1NZo7QHr7erlnry1vt2AqIyM8Fj2HBCsl1lierxE9EJ1typI2GpgMeG+HmceNdrlN6KGh4AmjLG3zCUPo8E+QzGVs/EO3PIAGyYYtuYbW++oJDr5xfY9DwK4Omq5GijZSSmdpOHiYelPMa1XLwT0D/kNCUm6EVfG6TKwxViNtGdyzknY7abNU7ucw2UWfjFe24hH0SL0hZMXjPQYtMnPl5J5qfjU4EXX1a/Ijn0IKUEk5BmY+ipc6irMI/Rrmumr7XSSncSHq2cpyNbwJBykFX5s/ydB64hbMenS+LhbUvnQBNt8Xkjyc+IrzntDuVGH4IGfnRIAOwDkU6EZPQ4v36wbd8IB3kUFW1/1z6ZvS4jsIgMA3TS2xMjhGB8FWnIAFUoCkjdbD5IIrhYORnMFPMQ/6A+3yPnLCDQ3UIeZ5SB9Ol7a1oMIw] from HttpServletRequest Cookie [rememberMe]




Reply | Threaded
Open this post in threaded view
|

Re: AbstractRememberMeManager and javax.crypto.IllegalBlockSizeException

Les Hazlewood-3
Ah, excellent catch - you're right that should definitely be Debug.  Can you please open a Jira issue so we can nab it?

On Tue, Jan 27, 2009 at 8:50 PM, Brad Whitaker <[hidden email]> wrote:
I had omitted jsecurity-ehcache-1.0.0-SNAPSHOT.jar and jsecurity-quartz-1.0.0-SNAPSHOT.jar from the plugin lib directory. (Don't ask me why. I was just guessing.) I added them back in and I am no longer seeing exceptions.

I am seeing this 'info' level log statement a lot, approximately 15 times per web request. Perhaps this should be a 'debug' level statement instead of 'info'.

01/27 19:37:14 INFO  org.jsecurity.web.attr.CookieAttribute  - Found string value [clJgEjFZVuRRN5lCpInkOsawSaKK4hLwegZK/QgR1Thk380v5wL9pA1NZo7QHr7erlnry1vt2AqIyM8Fj2HBCsl1lierxE9EJ1typI2GpgMeG+HmceNdrlN6KGh4AmjLG3zCUPo8E+QzGVs/EO3PIAGyYYtuYbW++oJDr5xfY9DwK4Omq5GijZSSmdpOHiYelPMa1XLwT0D/kNCUm6EVfG6TKwxViNtGdyzknY7abNU7ucw2UWfjFe24hH0SL0hZMXjPQYtMnPl5J5qfjU4EXX1a/Ijn0IKUEk5BmY+ipc6irMI/Rrmumr7XSSncSHq2cpyNbwJBykFX5s/ydB64hbMenS+LhbUvnQBNt8Xkjyc+IrzntDuVGH4IGfnRIAOwDkU6EZPQ4v36wbd8IB3kUFW1/1z6ZvS4jsIgMA3TS2xMjhGB8FWnIPbbveMSpTk43fRjrvTkN88J4Qiz5mxhvtR2s6r2diCpdq57VA2xmPcIHmAf0lQu6j5Rs/rAhH0z] from HttpServletRequest Cookie [rememberMe]

Thanks,

Brad



Les Hazlewood wrote:
Hi Brad,

I don't believe anyone has changed the Cipher implementation in a long time, so I'm not exactly sure how this happened.  Are you using JSecurity's default Key?  or did you specify your own?

Regards,

Les

On Mon, Jan 26, 2009 at 6:04 PM, Brad Whitaker <[hidden email]> wrote:
I'm having a bit of trouble running Jsecurity (built with revision 736939). I'm using the Grails plugin (updated in my local environment) and running Tomcat 6.

I'm having several issues that I can't completely describe at this point, but I'm seeing the following output in my logs. Is this just a transient issue, or is it problem with the Jsecurity code (or my environment)?

Are there any 'upgrade' issues related to the rememberMe cookies? (I was having trouble logging in until I deleted cookies in my browser.)

Thanks,

Brad


01/26 16:52:04 INFO  org.jsecurity.web.attr.CookieAttribute  - Found string value [clJgEjFZVuRRN5lCpInkOsawSaKK4hLwegZK/QgR1Thk380v5wL9pA1NZo7QHr7erlnry1vt2AqIyM8Fj2HBCsl1lierxE9EJ1typI2GpgMeG+HmceNdrlN6KGh4AmjLG3zCUPo8E+QzGVs/EO3PIAGyYYtuYbW++oJDr5xfY9DwK4Omq5GijZSSmdpOHiYelPMa1XLwT0D/kNCUm6EVfG6TKwxViNtGdyzknY7abNU7ucw2UWfjFe24hH0SL0hZMXjPQYtMnPl5J5qfjU4EXX1a/Ijn0IKUEk5BmY+ipc6irMI/Rrmumr7XSSncSHq2cpyNbwJBykFX5s/ydB64hbMenS+LhbUvnQBNt8Xkjyc+IrzntDuVGH4IGfnRIAOwDkU6EZPQ4v36wbd8IB3kUFW1/1z6ZvS4jsIgMA3TS2xMjhGB8FWnIAFUoCkjdbD5IIrhYORnMFPMQ/6A+3yPnLCDQ3UIeZ5SB9Ol7a1oMIw] from HttpServletRequest Cookie [rememberMe]





Reply | Threaded
Open this post in threaded view
|

Re: AbstractRememberMeManager and javax.crypto.IllegalBlockSizeException

Brad Whitaker-4
Les Hazlewood wrote:
> Ah, excellent catch - you're right that should definitely be Debug.  
> Can you please open a Jira issue so we can nab it?
https://issues.apache.org/jira/browse/JSEC-50