Details
-
Bug
-
Resolution: Fixed
-
High
-
0.33
-
None
-
true
Description
2008-03-07 15:46:32,469 http-8090-Processor2 DEBUG [atlassian.seraph.filter.BaseLoginFilter] Login completed - setting attribute to "null" 2008-03-07 15:46:32,470 http-8090-Processor2 DEBUG [atlassian.seraph.filter.SecurityFilter] Storing the originally requested URL (atlassian.core.seraph.original.url=/default.jsp) 2008-03-07 15:46:32,470 http-8090-Processor2 DEBUG [atlassian.seraph.filter.SecurityFilter] requiredRoles = [] 2008-03-07 15:46:32,470 http-8090-Processor2 DEBUG [atlassian.seraph.cookie.EncryptedCookieEncoder] Invalid password cookie submitted, trying insecure java.lang.RuntimeException: javax.crypto.IllegalBlockSizeException: Input length must be multiple of 8 when decrypting with padded cipher at com.atlassian.seraph.util.EncryptionUtils.decrypt(EncryptionUtils.java:77) at com.atlassian.seraph.cookie.EncryptedCookieEncoder.decodePasswordCookie(EncryptedCookieEncoder.java:43) at com.atlassian.seraph.auth.DefaultAuthenticator.decodeCookie(DefaultAuthenticator.java:393) at com.atlassian.seraph.auth.DefaultAuthenticator.getUserFromCookie(DefaultAuthenticator.java:245) at com.atlassian.seraph.auth.DefaultAuthenticator.getUser(DefaultAuthenticator.java:221) at com.atlassian.seraph.filter.SecurityFilter.doFilter(SecurityFilter.java:137) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.seraph.filter.TrustedApplicationsFilter.doFilter(TrustedApplicationsFilter.java:114) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.seraph.filter.BaseLoginFilter.doFilter(BaseLoginFilter.java:110) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.util.profiling.filters.ProfilingFilter.doFilter(ProfilingFilter.java:132) at com.atlassian.jira.web.filters.JIRAProfilingFilter.doFilter(JIRAProfilingFilter.java:16) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.jira.web.filters.ActionCleanupDelayFilter.doFilter(ActionCleanupDelayFilter.java:43) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.jira.web.filters.RequestCleanupFilter.doFilter(RequestCleanupFilter.java:50) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.johnson.filters.AbstractJohnsonFilter.doFilter(AbstractJohnsonFilter.java:72) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:350) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.gzipfilter.GzipFilter.doFilter(GzipFilter.java:89) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.core.filters.AbstractEncodingFilter.doFilter(AbstractEncodingFilter.java:37) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at com.atlassian.jira.appconsistency.db.DatabaseCompatibilityEnforcerFilter.doFilter(DatabaseCompatibilityEnforcerFilter.java:39) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689) at java.lang.Thread.run(Thread.java:613) Caused by: javax.crypto.IllegalBlockSizeException: Input length must be multiple of 8 when decrypting with padded cipher at com.sun.crypto.provider.SunJCE_h.b(DashoA12275) at com.sun.crypto.provider.SunJCE_h.b(DashoA12275) at com.sun.crypto.provider.SunJCE_af.b(DashoA12275) at com.sun.crypto.provider.PBEWithMD5AndDESCipher.engineDoFinal(DashoA12275) at javax.crypto.Cipher.doFinal(DashoA12275) at com.atlassian.seraph.util.EncryptionUtils.decrypt(EncryptionUtils.java:73) ... 50 more 2008-03-07 15:46:32,471 http-8090-Processor2 DEBUG [atlassian.seraph.auth.DefaultAuthenticator] Got username and password from cookie, attempting to authenticate user 2008-03-07 15:46:32,472 http-8090-Processor2 DEBUG [atlassian.seraph.auth.DefaultAuthenticator] Could not find user who tried to login: com.opensymphony.user.EntityNotFoundException: No user found 2008-03-07 15:46:32,472 http-8090-Processor2 INFO [atlassian.seraph.auth.DefaultAuthenticator] Cannot login user '' as they do not exist. 2008-03-07 15:46:32,472 http-8090-Processor2 WARN [atlassian.seraph.auth.DefaultAuthenticator] User: tried to login but they do not have USE permission or weren't found. Deleting cookie. 2008-03-07 15:46:32,472 http-8090-Processor2 DEBUG [atlassian.seraph.cookie.DefaultCookieHandler] invalidateCookie seraph.os.cookie for path /jira 2008-03-07 15:46:32,472 http-8090-Processor2 DEBUG [atlassian.seraph.cookie.DefaultCookieHandler] CookieUtils.setCookie seraph.os.cookie:null 2008-03-07 15:46:32,472 http-8090-Processor2 DEBUG [atlassian.seraph.auth.DefaultAuthenticator] Cannot log user in via a cookie
Found while investigating a JIRA support case. Note that I replicated the problem in my own environment using the customer's data. The database contains two users. I logged in as the first user with the Remember me option set, then closed the browser, revisited JIRA, and I was logged in fine. Did the same thing with the second user, and upon revisiting JIRA I need to log in again. Note that after I log in, I do not visit any pages - as soon as I am shown the dashboard, I quit the browser.
Tested this on both Safari and Firefox (on OSX). The seraph.os.cookie is still in the browser when I reopen it, so it definitely did save a cookie after logging in.
Any ideas as to what is causing this?
Attachments
Issue Links
- blocks
-
-
- Closed
-
-
JRASERVER-14630 Fix the seraph.os.cookie from failing on Tomcat by upgrading atlassian-seraph
- Closed
- is caused by
-
SER-94 Autologin cookie should be encoded with real encryption
-
- RESOLVED
-