Uploaded image for project: 'atlassian-seraph'
  1. atlassian-seraph
  2. SER-117

Seraph throws IllegalBlockSizeException when trying to read the cookie when a particular user visits JIRA

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: High
    • Resolution: Fixed
    • Affects Version/s: 0.33
    • Fix Version/s: 0.38
    • Labels:
      None
    • Last commented by user?:
      true

      Description

      2008-03-07 15:46:32,469 http-8090-Processor2 DEBUG [atlassian.seraph.filter.BaseLoginFilter] Login completed - setting attribute to "null"
      2008-03-07 15:46:32,470 http-8090-Processor2 DEBUG [atlassian.seraph.filter.SecurityFilter] Storing the originally requested URL (atlassian.core.seraph.original.url=/default.jsp)
      2008-03-07 15:46:32,470 http-8090-Processor2 DEBUG [atlassian.seraph.filter.SecurityFilter] requiredRoles = []
      2008-03-07 15:46:32,470 http-8090-Processor2 DEBUG [atlassian.seraph.cookie.EncryptedCookieEncoder] Invalid password cookie submitted, trying insecure
      java.lang.RuntimeException: javax.crypto.IllegalBlockSizeException: Input length must be multiple of 8 when decrypting with padded cipher
      	at com.atlassian.seraph.util.EncryptionUtils.decrypt(EncryptionUtils.java:77)
      	at com.atlassian.seraph.cookie.EncryptedCookieEncoder.decodePasswordCookie(EncryptedCookieEncoder.java:43)
      	at com.atlassian.seraph.auth.DefaultAuthenticator.decodeCookie(DefaultAuthenticator.java:393)
      	at com.atlassian.seraph.auth.DefaultAuthenticator.getUserFromCookie(DefaultAuthenticator.java:245)
      	at com.atlassian.seraph.auth.DefaultAuthenticator.getUser(DefaultAuthenticator.java:221)
      	at com.atlassian.seraph.filter.SecurityFilter.doFilter(SecurityFilter.java:137)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
      	at com.atlassian.seraph.filter.TrustedApplicationsFilter.doFilter(TrustedApplicationsFilter.java:114)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
      	at com.atlassian.seraph.filter.BaseLoginFilter.doFilter(BaseLoginFilter.java:110)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
      	at com.atlassian.util.profiling.filters.ProfilingFilter.doFilter(ProfilingFilter.java:132)
      	at com.atlassian.jira.web.filters.JIRAProfilingFilter.doFilter(JIRAProfilingFilter.java:16)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
      	at com.atlassian.jira.web.filters.ActionCleanupDelayFilter.doFilter(ActionCleanupDelayFilter.java:43)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
      	at com.atlassian.jira.web.filters.RequestCleanupFilter.doFilter(RequestCleanupFilter.java:50)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
      	at com.atlassian.johnson.filters.AbstractJohnsonFilter.doFilter(AbstractJohnsonFilter.java:72)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
      	at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:350)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
      	at com.atlassian.gzipfilter.GzipFilter.doFilter(GzipFilter.java:89)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
      	at com.atlassian.core.filters.AbstractEncodingFilter.doFilter(AbstractEncodingFilter.java:37)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
      	at com.atlassian.jira.appconsistency.db.DatabaseCompatibilityEnforcerFilter.doFilter(DatabaseCompatibilityEnforcerFilter.java:39)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
      	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874)
      	at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
      	at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
      	at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
      	at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
      	at java.lang.Thread.run(Thread.java:613)
      Caused by: javax.crypto.IllegalBlockSizeException: Input length must be multiple of 8 when decrypting with padded cipher
      	at com.sun.crypto.provider.SunJCE_h.b(DashoA12275)
      	at com.sun.crypto.provider.SunJCE_h.b(DashoA12275)
      	at com.sun.crypto.provider.SunJCE_af.b(DashoA12275)
      	at com.sun.crypto.provider.PBEWithMD5AndDESCipher.engineDoFinal(DashoA12275)
      	at javax.crypto.Cipher.doFinal(DashoA12275)
      	at com.atlassian.seraph.util.EncryptionUtils.decrypt(EncryptionUtils.java:73)
      	... 50 more
      2008-03-07 15:46:32,471 http-8090-Processor2 DEBUG [atlassian.seraph.auth.DefaultAuthenticator] Got username and password from cookie, attempting to authenticate user
      2008-03-07 15:46:32,472 http-8090-Processor2 DEBUG [atlassian.seraph.auth.DefaultAuthenticator] Could not find user who tried to login: com.opensymphony.user.EntityNotFoundException: No user  found
      2008-03-07 15:46:32,472 http-8090-Processor2 INFO [atlassian.seraph.auth.DefaultAuthenticator] Cannot login user '' as they do not exist.
      2008-03-07 15:46:32,472 http-8090-Processor2 WARN [atlassian.seraph.auth.DefaultAuthenticator] User:  tried to login but they do not have USE permission or weren't found. Deleting cookie.
      2008-03-07 15:46:32,472 http-8090-Processor2 DEBUG [atlassian.seraph.cookie.DefaultCookieHandler] invalidateCookie seraph.os.cookie for path /jira
      2008-03-07 15:46:32,472 http-8090-Processor2 DEBUG [atlassian.seraph.cookie.DefaultCookieHandler] CookieUtils.setCookie seraph.os.cookie:null
      2008-03-07 15:46:32,472 http-8090-Processor2 DEBUG [atlassian.seraph.auth.DefaultAuthenticator] Cannot log user in via a cookie

      Found while investigating a JIRA support case. Note that I replicated the problem in my own environment using the customer's data. The database contains two users. I logged in as the first user with the Remember me option set, then closed the browser, revisited JIRA, and I was logged in fine. Did the same thing with the second user, and upon revisiting JIRA I need to log in again. Note that after I log in, I do not visit any pages - as soon as I am shown the dashboard, I quit the browser.

      Tested this on both Safari and Firefox (on OSX). The seraph.os.cookie is still in the browser when I reopen it, so it definitely did save a cookie after logging in.

      Any ideas as to what is causing this?

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              sleberrigaud Samuel Berrigaud
              Reporter:
              mtokar Michael Tokar
              Participants:
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Last commented:
                11 years, 35 weeks ago