Hi, this is one server's cas.properties. the other server is very similar other than host name is dcasde02, and it has different signing key and encryption key, since they are unique per server.
Is there any misconfiguration you can see? If CAS cluster can work without session affinity, how does one server decrypt a value encrypted by another server using a different key? Thx! server.name=http://dcasde01:8443 server.prefix=${server.name}/cas cas.securityContext.status.access=hasIpAddress('172.18.100.52') cas.securityContext.statistics.access=hasIpAddress('172.18.100.52') cas.themeResolver.defaultThemeName=cas-theme-default cas.viewResolver.basename=default_views host.name=dcasde01.dev.medplus.com tgc.encryption.key=LqWoZsHfEYQZ3KIzWiC_KE8iUoKXK48FgTiIDpTZs80 tgc.signing.key=O7Y5GookFVgYjhTE2sQZPxTeUr07jlcNDIo5G34rSxulP1FPaYs-5_dc_87a5OrOEvAAp0BImQ9sPxuy_MX-jQ hz.cluster.members=dcasde01.dev.medplus.com,dcasde02.dev.medplus.com cas.logout.followServiceRedirects=true tgt.maxTimeToLiveInSeconds=28800 st.timeToKillInSeconds=300 service.registry.config.location=file:///etc/cas-config/cas-management/services On Thursday, January 5, 2017 at 12:49:42 PM UTC-5, sesharaju sv wrote: > > Hello Yan, > > you would have missed some configurations in cas.properties. Please > share properties so that can we can review and let you know the issue. > > Thanks > Seshu > > On 5 January 2017 at 20:17, Yan Zhou <yana...@gmail.com <javascript:>> > wrote: > > Hello, > > > > When you submit CAS4 login page, sometimes you got “Decode flow > execution > > error”. For a long time, I have been struggling as to why this happens. > I > > think we have an answer. > > > > > > This most likely happens in a cluster environment when you have multiple > > active CAS4 servers. They each has a different signing key. The webflow > > values are encrypted by the CAS server handling request and sent back to > CAS > > login form, when form is submitted, the encrypted value comes back to > CAS > > server. Without session affinity, one server can sign the data, but the > > other server won’t decrypt it, because the keys are different. > > > > > > > > That is my theory, do you think that would cause this error? I did > verify > > that when server cannot decrypt data, it results in null value, which > causes > > the following exception. > > > > > > 2016-11-23 15:21:01,746 ERROR [org.jasig.cas.util.BinaryCipherExecutor] > - > > Unable to correctly extract the Initialization Vector or ciphertext. > > > > org.apache.shiro.crypto.CryptoException: Unable to correctly extract the > > Initialization Vector or ciphertext. > > > > at > > > org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:378) > > > > at > > > org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:120) > > > > > at > > > org.jasig.cas.util.BinaryCipherExecutor.decode(BinaryCipherExecutor.java:42) > > > > > at > > > org.jasig.cas.web.flow.CasWebflowCipherBean.decrypt(CasWebflowCipherBean.java:58) > > > > > > at > > > org.jasig.spring.webflow.plugin.EncryptedTranscoder.decode(EncryptedTranscoder.java:105) > > > > > > at > > > org.jasig.spring.webflow.plugin.ClientFlowExecutionRepository.getFlowExecution(ClientFlowExecutionRepository.java:90) > > > > > > at > > > org.springframework.webflow.executor.FlowExecutorImpl.resumeExecution(FlowExecutorImpl.java:168) > > > > > > at > > > org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:228) > > > > > > at > > > org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959) > > > > > > at > > > org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893) > > > > > > at > > > org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:967) > > > > > > at > > > org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:869) > > > > > > at javax.servlet.http.HttpServlet.service(Unknown Source) > > > > at > > > org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:843) > > > > > > at javax.servlet.http.HttpServlet.service(Unknown Source) > > > > at > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown > > Source) > > > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown > > Source) > > > > at org.apache.tomcat.websocket.server.WsFilter.doFilter(Unknown > > Source) > > > > at > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown > > Source) > > > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown > > Source) > > > > at > > > org.jasig.cas.security.ResponseHeadersEnforcementFilter.doFilter(ResponseHeadersEnforcementFilter.java:227) > > > > > > at > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown > > Source) > > > > > > > > at > > > org.jasig.cas.security.RequestParameterPolicyEnforcementFilter.doFilter(RequestParameterPolicyEnforcementFilter.java:250) > > > > > > at > > > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344) > > > > > > at > > > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261) > > > > > > at > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown > > Source) > > > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown > > Source) > > > > at > > > org.jasig.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:62) > > > > > > at > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown > > Source) > > > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown > > Source) > > > > at > > > org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:85) > > > > > > at > > > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) > > > > > > at > > > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344) > > > > > > at > > > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261) > > > > > > at > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown > > Source) > > > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown > > Source) > > > > at org.apache.catalina.core.StandardWrapperValve.invoke(Unknown > > Source) > > > > at org.apache.catalina.core.StandardContextValve.invoke(Unknown > > Source) > > > > at > > org.apache.catalina.authenticator.AuthenticatorBase.invoke(Unknown > Source) > > > > at org.apache.catalina.core.StandardHostValve.invoke(Unknown > Source) > > > > at org.apache.catalina.valves.ErrorReportValve.invoke(Unknown > > Source) > > > > at org.apache.catalina.valves.AccessLogValve.invoke(Unknown > Source) > > > > at org.apache.catalina.valves.RemoteIpValve.invoke(Unknown > Source) > > > > at org.apache.catalina.core.StandardEngineValve.invoke(Unknown > > Source) > > > > at org.apache.catalina.connector.CoyoteAdapter.service(Unknown > > Source) > > > > at > org.apache.coyote.http11.AbstractHttp11Processor.process(Unknown > > Source) > > > > at > > > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(Unknown > > > Source) > > > > at > > org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(Unknown > Source) > > > > at > > org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(Unknown > Source) > > > > at > > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > > > > > > at > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > > > > > > at > > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(Unknown > > Source) > > > > at java.lang.Thread.run(Thread.java:745) > > > > Caused by: java.lang.NullPointerException > > > > at java.lang.System.arraycopy(Native Method) > > > > at > > > org.apache.shiro.crypto.JcaCipherService.decrypt(JcaCipherService.java:370) > > > > ... 53 more > > > > > > > > > > Thx, > > > > Yan > > > > -- > > - CAS gitter chatroom: https://gitter.im/apereo/cas > > - CAS mailing list guidelines: > > https://apereo.github.io/cas/Mailing-Lists.html > > - CAS documentation website: https://apereo.github.io/cas > > - CAS project website: https://github.com/apereo/cas > > --- > > You received this message because you are subscribed to the Google > Groups > > "CAS Community" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to cas-user+u...@apereo.org <javascript:>. > > To view this discussion on the web visit > > > https://groups.google.com/a/apereo.org/d/msgid/cas-user/765dfc4c-70bd-4141-bf87-8c1c983fff92%40apereo.org. > > > > > > -- > Venkata S Sadhu > India (Mobile) : +91 9850438062 > USA (VOIP) : +1 330 984 0330 > Pune Maharastra > INDIA > -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/458e30c5-ec64-4d7a-ad82-04adff39ffb9%40apereo.org.