ArrayIndexOutOfBoundsException in CookieRememberMeManager.getRememberedSerializedIdentity

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

ArrayIndexOutOfBoundsException in CookieRememberMeManager.getRememberedSerializedIdentity

jubax
Hi,

I get the an ArrayIndexOutOfBoundsException in CookieRememberMeManager
exception when I'm logging out (tomcat-based web application). See below.

I also added

[main]
securityManager.rememberMeManager.cipherKey =
0xff64f88d526b7bb96b962682b7048d76

to the shiro.ini, but no avail.

Any ideas?

Thanks,

Jürgen

2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-7] PathMatchingFilter   -
Current requestURI matches pattern '/logout'.  Determining filter chain
execution...
2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-7] PathMatchingFilter   -
Filter 'anon' is enabled for the current request under path '/logout' with
config [null].  Delegating to subclass implementation for 'onPre
Handle' check.
2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-7] AdviceFilter         -
Invoked preHandle method.  Continuing chain?: [true]
2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-7] ProxiedFilterChain   -
Invoking original filter chain.
2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-7] DelegatingSubject    -
attempting to get session; create = false; session is null = false; session
has id = true
2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-7] DelegatingSubject    -
attempting to get session; create = false; session is null = false; session
has id = true
2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-7] AdviceFilter         -
Successfully invoked postHandle method
2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-7] AdviceFilter         -
Successfully invoked afterCompletion method.
2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-10] OncePerRequestFilter -
Filter 'ShiroFilter' not yet executed.  Executing now.
2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-10] DefaultSecurityManager
- Context already contains a SecurityManager instance.  Returning.
2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-10] DefaultSecurityManager
- No identity (PrincipalCollection) found in the context.  Looking for a
remembered identity.
2019-07-15 14:43:40 DEBUG [] [http-nio-8080-exec-10] SimpleCookie         -
Found 'rememberMe' cookie value
[383078EE-A226-47B8-9798-8DDF9E361A9A%%ldapRealm]
2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-10] CookieRememberMeManager
- Acquired Base64 encoded identity
[383078EE-A226-47B8-9798-8DDF9E361A9A%%ldapRealm===]
2019-07-15 14:43:40 WARN  [] [http-nio-8080-exec-10]
AbstractRememberMeManager - There was a failure while trying to retrieve
remembered principals.  This could be due to a configuration problem or
corrupted princi
pals.  This could also be due to a recently changed encryption key, if you
are using a shiro.ini file, this property would be
'securityManager.rememberMeManager.cipherKey' see:
http://shiro.apache.org/web.html#Web-Rememb
erMeServices. The remembered identity will be forgotten and not used for
this request.
2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-10] SimpleCookie         -
calculated path: /myapplication
2019-07-15 14:43:40 DEBUG [] [http-nio-8080-exec-10] SimpleCookie         -
Added HttpServletResponse Cookie [rememberMe=deleteMe; Path=/myapplication;
Max-Age=0; Expires=Sun, 14-Jul-2019 12:43:40 GMT]
2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-10] SimpleCookie         -
Removed 'rememberMe' cookie by setting maxAge=0
2019-07-15 14:43:40 WARN  [] [http-nio-8080-exec-10] DefaultSecurityManager
- *Delegate RememberMeManager instance of type
[org.apache.shiro.web.mgt.CookieRememberMeManager] threw an exception during
getRememberedPr
incipals().*
java.lang.ArrayIndexOutOfBoundsException: Index 30 out of bounds for length
30
        at org.apache.shiro.codec.Base64.decode(Base64.java:470)
        at org.apache.shiro.codec.Base64.decode(Base64.java:414)
        at
org.apache.shiro.web.mgt.CookieRememberMeManager.getRememberedSerializedIdentity(CookieRememberMeManager.java:215)
        at
org.apache.shiro.mgt.AbstractRememberMeManager.getRememberedPrincipals(AbstractRememberMeManager.java:383)
        at
org.apache.shiro.mgt.DefaultSecurityManager.getRememberedIdentity(DefaultSecurityManager.java:604)
        at
org.apache.shiro.mgt.DefaultSecurityManager.resolvePrincipals(DefaultSecurityManager.java:492)
        at
org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:342)
        at
org.apache.shiro.subject.Subject$Builder.buildSubject(Subject.java:846)
        at
org.apache.shiro.web.subject.WebSubject$Builder.buildWebSubject(WebSubject.java:148)
        at
org.apache.shiro.web.servlet.AbstractShiroFilter.createSubject(AbstractShiroFilter.java:292)
        at
org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:359)
2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-10] DefaultSecurityManager
- No remembered identity found.  Returning original context.




--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: ArrayIndexOutOfBoundsException in CookieRememberMeManager.getRememberedSerializedIdentity

Brian Demers
What is the remember me cookie payload? That _should_ make it easy to reproduce

(Friendly reminder, I'm assuming that cipherKey is for test purposes and is not used in production)

On Mon, Jul 15, 2019 at 8:52 AM jubax <[hidden email]> wrote:
Hi,

I get the an ArrayIndexOutOfBoundsException in CookieRememberMeManager
exception when I'm logging out (tomcat-based web application). See below.

I also added

[main]
securityManager.rememberMeManager.cipherKey =
0xff64f88d526b7bb96b962682b7048d76

to the shiro.ini, but no avail.

Any ideas?

Thanks,

Jürgen

2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-7] PathMatchingFilter   -
Current requestURI matches pattern '/logout'.  Determining filter chain
execution...
2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-7] PathMatchingFilter   -
Filter 'anon' is enabled for the current request under path '/logout' with
config [null].  Delegating to subclass implementation for 'onPre
Handle' check.
2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-7] AdviceFilter         -
Invoked preHandle method.  Continuing chain?: [true]
2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-7] ProxiedFilterChain   -
Invoking original filter chain.
2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-7] DelegatingSubject    -
attempting to get session; create = false; session is null = false; session
has id = true
2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-7] DelegatingSubject    -
attempting to get session; create = false; session is null = false; session
has id = true
2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-7] AdviceFilter         -
Successfully invoked postHandle method
2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-7] AdviceFilter         -
Successfully invoked afterCompletion method.
2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-10] OncePerRequestFilter -
Filter 'ShiroFilter' not yet executed.  Executing now.
2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-10] DefaultSecurityManager
- Context already contains a SecurityManager instance.  Returning.
2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-10] DefaultSecurityManager
- No identity (PrincipalCollection) found in the context.  Looking for a
remembered identity.
2019-07-15 14:43:40 DEBUG [] [http-nio-8080-exec-10] SimpleCookie         -
Found 'rememberMe' cookie value
[383078EE-A226-47B8-9798-8DDF9E361A9A%%ldapRealm]
2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-10] CookieRememberMeManager
- Acquired Base64 encoded identity
[383078EE-A226-47B8-9798-8DDF9E361A9A%%ldapRealm===]
2019-07-15 14:43:40 WARN  [] [http-nio-8080-exec-10]
AbstractRememberMeManager - There was a failure while trying to retrieve
remembered principals.  This could be due to a configuration problem or
corrupted princi
pals.  This could also be due to a recently changed encryption key, if you
are using a shiro.ini file, this property would be
'securityManager.rememberMeManager.cipherKey' see:
http://shiro.apache.org/web.html#Web-Rememb
erMeServices. The remembered identity will be forgotten and not used for
this request.
2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-10] SimpleCookie         -
calculated path: /myapplication
2019-07-15 14:43:40 DEBUG [] [http-nio-8080-exec-10] SimpleCookie         -
Added HttpServletResponse Cookie [rememberMe=deleteMe; Path=/myapplication;
Max-Age=0; Expires=Sun, 14-Jul-2019 12:43:40 GMT]
2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-10] SimpleCookie         -
Removed 'rememberMe' cookie by setting maxAge=0
2019-07-15 14:43:40 WARN  [] [http-nio-8080-exec-10] DefaultSecurityManager
- *Delegate RememberMeManager instance of type
[org.apache.shiro.web.mgt.CookieRememberMeManager] threw an exception during
getRememberedPr
incipals().*
java.lang.ArrayIndexOutOfBoundsException: Index 30 out of bounds for length
30
        at org.apache.shiro.codec.Base64.decode(Base64.java:470)
        at org.apache.shiro.codec.Base64.decode(Base64.java:414)
        at
org.apache.shiro.web.mgt.CookieRememberMeManager.getRememberedSerializedIdentity(CookieRememberMeManager.java:215)
        at
org.apache.shiro.mgt.AbstractRememberMeManager.getRememberedPrincipals(AbstractRememberMeManager.java:383)
        at
org.apache.shiro.mgt.DefaultSecurityManager.getRememberedIdentity(DefaultSecurityManager.java:604)
        at
org.apache.shiro.mgt.DefaultSecurityManager.resolvePrincipals(DefaultSecurityManager.java:492)
        at
org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:342)
        at
org.apache.shiro.subject.Subject$Builder.buildSubject(Subject.java:846)
        at
org.apache.shiro.web.subject.WebSubject$Builder.buildWebSubject(WebSubject.java:148)
        at
org.apache.shiro.web.servlet.AbstractShiroFilter.createSubject(AbstractShiroFilter.java:292)
        at
org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:359)
2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-10] DefaultSecurityManager
- No remembered identity found.  Returning original context.




--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: ArrayIndexOutOfBoundsException in CookieRememberMeManager.getRememberedSerializedIdentity

jubax
Brian Demers wrote
> What is the remember me cookie payload? That _should_ make it easy to
> reproduce

That's the weird thing: AFAIK I'm currently not using the "remember me"
functionality at all (I have a simple login mask with user name and password
and no "remember me" checkbox) .

Maybe that's the problem here. How do I turn it off (or how could I
accidentally have turned it on)?

Thanks,

Jürgen



--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: ArrayIndexOutOfBoundsException in CookieRememberMeManager.getRememberedSerializedIdentity

Brian Demers
In reply to this post by jubax
What cookies are set?

-Brian

> On Jul 15, 2019, at 8:52 AM, jubax <[hidden email]> wrote:
>
> Hi,
>
> I get the an ArrayIndexOutOfBoundsException in CookieRememberMeManager
> exception when I'm logging out (tomcat-based web application). See below.
>
> I also added
>
> [main]
> securityManager.rememberMeManager.cipherKey =
> 0xff64f88d526b7bb96b962682b7048d76
>
> to the shiro.ini, but no avail.
>
> Any ideas?
>
> Thanks,
>
> Jürgen
>
> 2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-7] PathMatchingFilter   -
> Current requestURI matches pattern '/logout'.  Determining filter chain
> execution...
> 2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-7] PathMatchingFilter   -
> Filter 'anon' is enabled for the current request under path '/logout' with
> config [null].  Delegating to subclass implementation for 'onPre
> Handle' check.
> 2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-7] AdviceFilter         -
> Invoked preHandle method.  Continuing chain?: [true]
> 2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-7] ProxiedFilterChain   -
> Invoking original filter chain.
> 2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-7] DelegatingSubject    -
> attempting to get session; create = false; session is null = false; session
> has id = true
> 2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-7] DelegatingSubject    -
> attempting to get session; create = false; session is null = false; session
> has id = true
> 2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-7] AdviceFilter         -
> Successfully invoked postHandle method
> 2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-7] AdviceFilter         -
> Successfully invoked afterCompletion method.
> 2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-10] OncePerRequestFilter -
> Filter 'ShiroFilter' not yet executed.  Executing now.
> 2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-10] DefaultSecurityManager
> - Context already contains a SecurityManager instance.  Returning.
> 2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-10] DefaultSecurityManager
> - No identity (PrincipalCollection) found in the context.  Looking for a
> remembered identity.
> 2019-07-15 14:43:40 DEBUG [] [http-nio-8080-exec-10] SimpleCookie         -
> Found 'rememberMe' cookie value
> [383078EE-A226-47B8-9798-8DDF9E361A9A%%ldapRealm]
> 2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-10] CookieRememberMeManager
> - Acquired Base64 encoded identity
> [383078EE-A226-47B8-9798-8DDF9E361A9A%%ldapRealm===]
> 2019-07-15 14:43:40 WARN  [] [http-nio-8080-exec-10]
> AbstractRememberMeManager - There was a failure while trying to retrieve
> remembered principals.  This could be due to a configuration problem or
> corrupted princi
> pals.  This could also be due to a recently changed encryption key, if you
> are using a shiro.ini file, this property would be
> 'securityManager.rememberMeManager.cipherKey' see:
> http://shiro.apache.org/web.html#Web-Rememb
> erMeServices. The remembered identity will be forgotten and not used for
> this request.
> 2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-10] SimpleCookie         -
> calculated path: /myapplication
> 2019-07-15 14:43:40 DEBUG [] [http-nio-8080-exec-10] SimpleCookie         -
> Added HttpServletResponse Cookie [rememberMe=deleteMe; Path=/myapplication;
> Max-Age=0; Expires=Sun, 14-Jul-2019 12:43:40 GMT]
> 2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-10] SimpleCookie         -
> Removed 'rememberMe' cookie by setting maxAge=0
> 2019-07-15 14:43:40 WARN  [] [http-nio-8080-exec-10] DefaultSecurityManager
> - *Delegate RememberMeManager instance of type
> [org.apache.shiro.web.mgt.CookieRememberMeManager] threw an exception during
> getRememberedPr
> incipals().*
> java.lang.ArrayIndexOutOfBoundsException: Index 30 out of bounds for length
> 30
>        at org.apache.shiro.codec.Base64.decode(Base64.java:470)
>        at org.apache.shiro.codec.Base64.decode(Base64.java:414)
>        at
> org.apache.shiro.web.mgt.CookieRememberMeManager.getRememberedSerializedIdentity(CookieRememberMeManager.java:215)
>        at
> org.apache.shiro.mgt.AbstractRememberMeManager.getRememberedPrincipals(AbstractRememberMeManager.java:383)
>        at
> org.apache.shiro.mgt.DefaultSecurityManager.getRememberedIdentity(DefaultSecurityManager.java:604)
>        at
> org.apache.shiro.mgt.DefaultSecurityManager.resolvePrincipals(DefaultSecurityManager.java:492)
>        at
> org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:342)
>        at
> org.apache.shiro.subject.Subject$Builder.buildSubject(Subject.java:846)
>        at
> org.apache.shiro.web.subject.WebSubject$Builder.buildWebSubject(WebSubject.java:148)
>        at
> org.apache.shiro.web.servlet.AbstractShiroFilter.createSubject(AbstractShiroFilter.java:292)
>        at
> org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:359)
> 2019-07-15 14:43:40 TRACE [] [http-nio-8080-exec-10] DefaultSecurityManager
> - No remembered identity found.  Returning original context.
>
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: ArrayIndexOutOfBoundsException in CookieRememberMeManager.getRememberedSerializedIdentity

jubax
Brian Demers wrote
> What cookies are set?

My application does not use cookies explicitly. There is a single cookie
which is set after login this is called "jsessionid" which sounds like it is
coming from tomcat. I'm not sure how this cookie is related to shiro.

-Jürgen



--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: ArrayIndexOutOfBoundsException in CookieRememberMeManager.getRememberedSerializedIdentity

jubax
In reply to this post by Brian Demers
Brian Demers wrote
> What cookies are set?
>
> -Brian

I just noticed: We have two versions of our application running in the same
Tomcat at the same time. The old version does not use RememberMe, but the
new one does.

The error seems to occur only when I choose the RememberMe option in the new
version. After that I always get the ArrayIndexOutOfBoundsException in the
old version.

So this might be just a misconfiguration somewhere. I guess I was not aware
that different webapps can affect each other in this way.

Any ideas what I configured wrong?

Thanks,

Jürgen



--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: ArrayIndexOutOfBoundsException in CookieRememberMeManager.getRememberedSerializedIdentity

Philip Whitehouse
AIOOBE is not a helpful error regardless of config - we should still improve that...

Best,

Philip Whitehouse

> On 19 Jul 2019, at 09:35, jubax <[hidden email]> wrote:
>
> Brian Demers wrote
>> What cookies are set?
>>
>> -Brian
>
> I just noticed: We have two versions of our application running in the same
> Tomcat at the same time. The old version does not use RememberMe, but the
> new one does.
>
> The error seems to occur only when I choose the RememberMe option in the new
> version. After that I always get the ArrayIndexOutOfBoundsException in the
> old version.
>
> So this might be just a misconfiguration somewhere. I guess I was not aware
> that different webapps can affect each other in this way.
>
> Any ideas what I configured wrong?
>
> Thanks,
>
> Jürgen
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/

Reply | Threaded
Open this post in threaded view
|

Re: ArrayIndexOutOfBoundsException in CookieRememberMeManager.getRememberedSerializedIdentity

Brian Demers
Agreed, it should be a easy enough test to write, can you give us an example of the cookie body.
My guess the apps are using different secrets (the one not defined is a random key, but that one does’t set a cookie), so its the decryption that is failing.

If you are using the same set of cookies between apps you should configure Shiro the same on both apps.

-Brian (mobile)

> On Jul 19, 2019, at 3:39 AM, Philip Whitehouse <[hidden email]> wrote:
>
> AIOOBE is not a helpful error regardless of config - we should still improve that...
>
> Best,
>
> Philip Whitehouse
>
>> On 19 Jul 2019, at 09:35, jubax <[hidden email]> wrote:
>>
>> Brian Demers wrote
>>> What cookies are set?
>>>
>>> -Brian
>>
>> I just noticed: We have two versions of our application running in the same
>> Tomcat at the same time. The old version does not use RememberMe, but the
>> new one does.
>>
>> The error seems to occur only when I choose the RememberMe option in the new
>> version. After that I always get the ArrayIndexOutOfBoundsException in the
>> old version.
>>
>> So this might be just a misconfiguration somewhere. I guess I was not aware
>> that different webapps can affect each other in this way.
>>
>> Any ideas what I configured wrong?
>>
>> Thanks,
>>
>> Jürgen
>>
>>
>>
>> --
>> Sent from: http://shiro-user.582556.n2.nabble.com/
>
Reply | Threaded
Open this post in threaded view
|

Re: ArrayIndexOutOfBoundsException in CookieRememberMeManager.getRememberedSerializedIdentity

jubax
Hi,


Brian Demers wrote

> Agreed, it should be a easy enough test to write, can you give us an
> example of the cookie body.
> My guess the apps are using different secrets (the one not defined is a
> random key, but that one does’t set a cookie), so its the decryption that
> is failing.
>
> If you are using the same set of cookies between apps you should configure
> Shiro the same on both apps.
>
> -Brian (mobile)

I would like to help, but I'm not sure what exactly you need. The shiro.ini
files contain no special configuration properties regarding cookies,
cypherkey etc.

The cookie name is "rememberMe" and it just contains the realm names:

String principal = (String) subject.getPrincipal();
String rememberMeToken =
UUID.randomUUID().toString().toUpperCase(Locale.ROOT);
Cookie newCookie = new SimpleCookie(getCookie());
newCookie.setValue(concat(rememberMeToken,
subject.getPrincipals().getRealmNames()));
newCookie.saveTo(request, response);

Is this what you need?

Thanks,

Jürgen




--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: ArrayIndexOutOfBoundsException in CookieRememberMeManager.getRememberedSerializedIdentity

Brian Demers
I'll try to reproduce this.

On Mon, Jul 22, 2019 at 4:16 AM jubax <[hidden email]> wrote:
Hi,


Brian Demers wrote
> Agreed, it should be a easy enough test to write, can you give us an
> example of the cookie body.
> My guess the apps are using different secrets (the one not defined is a
> random key, but that one does’t set a cookie), so its the decryption that
> is failing.
>
> If you are using the same set of cookies between apps you should configure
> Shiro the same on both apps.
>
> -Brian (mobile)

I would like to help, but I'm not sure what exactly you need. The shiro.ini
files contain no special configuration properties regarding cookies,
cypherkey etc.

The cookie name is "rememberMe" and it just contains the realm names:

String principal = (String) subject.getPrincipal();
String rememberMeToken =
UUID.randomUUID().toString().toUpperCase(Locale.ROOT);
Cookie newCookie = new SimpleCookie(getCookie());
newCookie.setValue(concat(rememberMeToken,
subject.getPrincipals().getRealmNames()));
newCookie.saveTo(request, response);

Is this what you need?

Thanks,

Jürgen




--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: ArrayIndexOutOfBoundsException in CookieRememberMeManager.getRememberedSerializedIdentity

Brian Demers
I'm not able to reproduce the ArrayIndexOutOfBoundsException.  I can reproduce various cipher exceptions (expected).

What versions of Shiro are you using? (both the version with rememberMe configured and without).

I'm not sure I understand the "rememberMe" code you are referring to. Do you have custom Remember Me code in one application? And we are seeing a cookie name collision?


On Mon, Jul 22, 2019 at 2:48 PM Brian Demers <[hidden email]> wrote:
I'll try to reproduce this.

On Mon, Jul 22, 2019 at 4:16 AM jubax <[hidden email]> wrote:
Hi,


Brian Demers wrote
> Agreed, it should be a easy enough test to write, can you give us an
> example of the cookie body.
> My guess the apps are using different secrets (the one not defined is a
> random key, but that one does’t set a cookie), so its the decryption that
> is failing.
>
> If you are using the same set of cookies between apps you should configure
> Shiro the same on both apps.
>
> -Brian (mobile)

I would like to help, but I'm not sure what exactly you need. The shiro.ini
files contain no special configuration properties regarding cookies,
cypherkey etc.

The cookie name is "rememberMe" and it just contains the realm names:

String principal = (String) subject.getPrincipal();
String rememberMeToken =
UUID.randomUUID().toString().toUpperCase(Locale.ROOT);
Cookie newCookie = new SimpleCookie(getCookie());
newCookie.setValue(concat(rememberMeToken,
subject.getPrincipals().getRealmNames()));
newCookie.saveTo(request, response);

Is this what you need?

Thanks,

Jürgen




--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: ArrayIndexOutOfBoundsException in CookieRememberMeManager.getRememberedSerializedIdentity

jubax
Brian Demers wrote
> I'm not able to reproduce the ArrayIndexOutOfBoundsException.  I can
> reproduce various cipher exceptions (expected).
>
> What versions of Shiro are you using? (both the version with rememberMe
> configured and without).

In both version of the application I'm using Shiro 1.3.2.


Brian Demers wrote
> I'm not sure I understand the "rememberMe" code you are referring to. Do
> you have custom Remember Me code in one application? And we are seeing a
> cookie name collision?

The code I posted comes from the new version of the application. It is from
our own implementation of the RememberMeManager interface.

-Jürgen



--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: ArrayIndexOutOfBoundsException in CookieRememberMeManager.getRememberedSerializedIdentity

fpapon
Hi,

Can you try with the latest version 1.4.1 ?

regards,

François
[hidden email]

Le 24/07/2019 à 10:15, jubax a écrit :

> Brian Demers wrote
>> I'm not able to reproduce the ArrayIndexOutOfBoundsException.  I can
>> reproduce various cipher exceptions (expected).
>>
>> What versions of Shiro are you using? (both the version with rememberMe
>> configured and without).
> In both version of the application I'm using Shiro 1.3.2.
>
>
> Brian Demers wrote
>> I'm not sure I understand the "rememberMe" code you are referring to. Do
>> you have custom Remember Me code in one application? And we are seeing a
>> cookie name collision?
> The code I posted comes from the new version of the application. It is from
> our own implementation of the RememberMeManager interface.
>
> -Jürgen
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: ArrayIndexOutOfBoundsException in CookieRememberMeManager.getRememberedSerializedIdentity

jubax
Hi François,


fpapon wrote
> Hi,
>
> Can you try with the latest version 1.4.1 ?
>
> regards,
>
> François

> fpapon@


With 1.4.1 I get the same behavior.

Thanks,

Jürgen



--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: ArrayIndexOutOfBoundsException in CookieRememberMeManager.getRememberedSerializedIdentity

fpapon
Ok, thanks for your feeback.

We will take a look.

regards,

François
[hidden email]

Le 30/07/2019 à 09:08, jubax a écrit :

> Hi François,
>
>
> fpapon wrote
>> Hi,
>>
>> Can you try with the latest version 1.4.1 ?
>>
>> regards,
>>
>> François
>> fpapon@
>
> With 1.4.1 I get the same behavior.
>
> Thanks,
>
> Jürgen
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: ArrayIndexOutOfBoundsException in CookieRememberMeManager.getRememberedSerializedIdentity

Brian Demers
It sounds like you have two conflicting versions of a remember me manager in your applications?

They each format the cookie differently, and this causes the stock RememberMeManager to throw an exception.
If this assumption _is_ correct Shiro should probably log and ignore this exception and NOT fail.

Can you provide an example of your request/response headers that is causing this issue? (that should make it easy to write a test)

On Tue, Jul 30, 2019 at 3:32 AM Francois Papon <[hidden email]> wrote:
Ok, thanks for your feeback.

We will take a look.

regards,

François
[hidden email]

Le 30/07/2019 à 09:08, jubax a écrit :
> Hi François,
>
>
> fpapon wrote
>> Hi,
>>
>> Can you try with the latest version 1.4.1 ?
>>
>> regards,
>>
>> François
>> fpapon@
>
> With 1.4.1 I get the same behavior.
>
> Thanks,
>
> Jürgen
>
>
>
> --
> Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: ArrayIndexOutOfBoundsException in CookieRememberMeManager.getRememberedSerializedIdentity

jubax
Brian Demers wrote

> It sounds like you have two conflicting versions of a remember me manager
> in your applications?
>
> They each format the cookie differently, and this causes the stock
> RememberMeManager to throw an exception.
> If this assumption _is_ correct Shiro should probably log and ignore this
> exception and NOT fail.
>
> Can you provide an example of your request/response headers that is
> causing
> this issue? (that should make it easy to write a test)

In the meantime I made sure that our two applications are installed on
separate servers. After that I tested only the old application. But the
ArrayIndexOutOfBoundsException still occured. Then I deleted the
corresponding cookies in my browser (I probably should have checked
request/response headers before doing that). After that the error did not
occur anymore.

Right now I cannot change the application setup in order to reproduce the
error, but I plan to do so in the next few weeks.



--
Sent from: http://shiro-user.582556.n2.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: ArrayIndexOutOfBoundsException in CookieRememberMeManager.getRememberedSerializedIdentity

Brian Demers
Thanks for the update, keep us posted!

On Thu, Aug 1, 2019 at 10:20 AM jubax <[hidden email]> wrote:
Brian Demers wrote
> It sounds like you have two conflicting versions of a remember me manager
> in your applications?
>
> They each format the cookie differently, and this causes the stock
> RememberMeManager to throw an exception.
> If this assumption _is_ correct Shiro should probably log and ignore this
> exception and NOT fail.
>
> Can you provide an example of your request/response headers that is
> causing
> this issue? (that should make it easy to write a test)

In the meantime I made sure that our two applications are installed on
separate servers. After that I tested only the old application. But the
ArrayIndexOutOfBoundsException still occured. Then I deleted the
corresponding cookies in my browser (I probably should have checked
request/response headers before doing that). After that the error did not
occur anymore.

Right now I cannot change the application setup in order to reproduce the
error, but I plan to do so in the next few weeks.



--
Sent from: http://shiro-user.582556.n2.nabble.com/