MyFaces Core
  1. MyFaces Core
  2. MYFACES-1786

Encryption is enabled by default, causing problems if no secret is set

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Invalid
    • Affects Version/s: 1.2.0, 1.2.1-SNAPSHOT
    • Fix Version/s: None
    • Component/s: General
    • Labels:
      None
    • Environment:
      Any

      Description

      According to the documentation of org.apache.myfaces.util.StateUtils "To enable encryption, a secret must be provided. StateUtils looks first for the org.apache.myfaces.secret init param, then system properties. If a secret cannot be located, encryption is not used."

      This is the correct behaviour but in fact the isSecure() method of that class includes:

      return ! "false".equals(ctx.getInitParameter(USE_ENCRYPTION));

      This enables encryption in ALL cases except where the init parameter is PRESENT and EQUAL to "false". For example if it is absent, encryption is enabled. It looks as though a secret is then generated.

      This causes a problem because if the web container is restarted, a new secret is generated. Existing users who then submit any view encoded with the old secret hit an exception in the restore view phase which looks like this, at least in my environment:

      javax.faces.FacesException: javax.crypto.BadPaddingException: Given final block not properly padded
      at org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:370)
      at org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:408)
      at org.apache.myfaces.shared_impl.util.StateUtils.decrypt(StateUtils.java:288)
      at org.apache.myfaces.shared_impl.util.StateUtils.reconstruct(StateUtils.java:237)
      at org.apache.myfaces.renderkit.html.HtmlResponseStateManager.getTreeStructureToRestore(HtmlResponseStateManager.java:129)
      at javax.faces.render.ResponseStateManager.getState(ResponseStateManager.java:81)
      at org.apache.myfaces.application.jsp.JspStateManagerImpl.restoreView(JspStateManagerImpl.java:283)
      at org.ajax4jsf.framework.ajax.AjaxStateManager.restoreView(AjaxStateManager.java:83)
      at org.apache.myfaces.application.jsp.JspViewHandlerImpl.restoreView(JspViewHandlerImpl.java:354)
      at com.sun.facelets.FaceletViewHandler.restoreView(FaceletViewHandler.java:317)
      at org.ajax4jsf.framework.ViewHandlerWrapper.restoreView(ViewHandlerWrapper.java:116)
      at org.ajax4jsf.framework.ajax.AjaxViewHandler.restoreView(AjaxViewHandler.java:147)
      at org.jenia.faces.template.handler.ViewHandler.restoreView(ViewHandler.java:263)
      at com.sun.facelets.FaceletViewHandler.restoreView(FaceletViewHandler.java:317)
      at org.ajax4jsf.framework.ViewHandlerWrapper.restoreView(ViewHandlerWrapper.java:116)
      at org.ajax4jsf.framework.ajax.AjaxViewHandler.restoreView(AjaxViewHandler.java:147)
      at org.apache.myfaces.lifecycle.RestoreViewExecutor.execute(RestoreViewExecutor.java:85)
      at org.apache.myfaces.lifecycle.LifecycleImpl.executePhase(LifecycleImpl.java:95)
      at org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:70)
      at javax.faces.webapp.FacesServlet.service(FacesServlet.java:137)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.ajax4jsf.framework.ajax.xmlfilter.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:96)
      at org.ajax4jsf.framework.ajax.xmlfilter.BaseFilter.doFilter(BaseFilter.java:220)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.apache.myfaces.webapp.filter.ExtensionsFilter.doFilter(ExtensionsFilter.java:147)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at net.parkplatz.rr.webframework.Doorkeeper.doFilter(Doorkeeper.java:185)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.springframework.orm.jdo.support.OpenPersistenceManagerInViewFilter.doFilterInternal(OpenPersistenceManagerInViewFilter.java:106)
      at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:77)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.netbeans.modules.web.monitor.server.MonitorFilter.doFilter(MonitorFilter.java:390)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:263)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:584)
      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
      at java.lang.Thread.run(Thread.java:619)
      Caused by: javax.crypto.BadPaddingException: Given final block not properly padded
      at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
      at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
      at com.sun.crypto.provider.DESCipher.engineDoFinal(DashoA13*..)
      at javax.crypto.Cipher.doFinal(DashoA13*..)
      at org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:366)
      ... 48 more
      Caused by: javax.crypto.BadPaddingException: Given final block not properly padded
      at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
      at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)
      at com.sun.crypto.provider.DESCipher.engineDoFinal(DashoA13*..)
      at javax.crypto.Cipher.doFinal(DashoA13*..)
      at org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:366)
      at org.apache.myfaces.shared_impl.util.StateUtils.symmetric(StateUtils.java:408)
      at org.apache.myfaces.shared_impl.util.StateUtils.decrypt(StateUtils.java:288)
      at org.apache.myfaces.shared_impl.util.StateUtils.reconstruct(StateUtils.java:237)
      at org.apache.myfaces.renderkit.html.HtmlResponseStateManager.getTreeStructureToRestore(HtmlResponseStateManager.java:129)
      at javax.faces.render.ResponseStateManager.getState(ResponseStateManager.java:81)
      at org.apache.myfaces.application.jsp.JspStateManagerImpl.restoreView(JspStateManagerImpl.java:283)
      at org.ajax4jsf.framework.ajax.AjaxStateManager.restoreView(AjaxStateManager.java:83)
      at org.apache.myfaces.application.jsp.JspViewHandlerImpl.restoreView(JspViewHandlerImpl.java:354)
      at com.sun.facelets.FaceletViewHandler.restoreView(FaceletViewHandler.java:317)
      at org.ajax4jsf.framework.ViewHandlerWrapper.restoreView(ViewHandlerWrapper.java:116)
      at org.ajax4jsf.framework.ajax.AjaxViewHandler.restoreView(AjaxViewHandler.java:147)
      at org.jenia.faces.template.handler.ViewHandler.restoreView(ViewHandler.java:263)
      at com.sun.facelets.FaceletViewHandler.restoreView(FaceletViewHandler.java:317)
      at org.ajax4jsf.framework.ViewHandlerWrapper.restoreView(ViewHandlerWrapper.java:116)
      at org.ajax4jsf.framework.ajax.AjaxViewHandler.restoreView(AjaxViewHandler.java:147)
      at org.apache.myfaces.lifecycle.RestoreViewExecutor.execute(RestoreViewExecutor.java:85)
      at org.apache.myfaces.lifecycle.LifecycleImpl.executePhase(LifecycleImpl.java:95)
      at org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:70)
      at javax.faces.webapp.FacesServlet.service(FacesServlet.java:137)

      This was reported on the MyFaces users list using MyFaces 1.2.0 and is still present in 1.2.1-SNAPSHOT

      The fix is to correct the bug in the line from org.apache.myfaces.util.StateUtils.isSecure() quoted above, so that it reads:

      return "true".equals(ctx.getInitParameter(USE_ENCRYPTION));

        Issue Links

          Activity

          Jon Harley created issue -
          Simon Kitching made changes -
          Field Original Value New Value
          Link This issue is related to MYFACES-1838 [ MYFACES-1838 ]
          Leonardo Uribe made changes -
          Status Open [ 1 ] Closed [ 6 ]
          Assignee Leonardo Uribe [ lu4242 ]
          Resolution Invalid [ 6 ]

            People

            • Assignee:
              Leonardo Uribe
              Reporter:
              Jon Harley
            • Votes:
              3 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development