[
https://issues.apache.org/jira/browse/SLING-9433?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Munteanu resolved SLING-9433.
------------------------------------
Resolution: Fixed
> Do not log stack trace in case of cookies with no match in the token store
> --------------------------------------------------------------------------
>
> Key: SLING-9433
> URL: https://issues.apache.org/jira/browse/SLING-9433
> Project: Sling
> Issue Type: Improvement
> Components: Authentication
> Reporter: Robert Munteanu
> Assignee: Robert Munteanu
> Priority: Major
> Fix For: Form Based Authentication 1.0.20
>
>
> When a cookie does not have a match in the token store, a stack trace is
> logged at error level
> {noformat}08.05.2020 14:21:42.991 *ERROR* [qtp804599815-226]
> org.apache.sling.auth.form.impl.TokenStore No installed provider supports
> this key: (null)
> java.security.InvalidKeyException: No installed provider supports this key:
> (null)
> at java.base/javax.crypto.Mac.chooseProvider(Mac.java:392)
> at java.base/javax.crypto.Mac.init(Mac.java:435)
> at
> org.apache.sling.auth.form.impl.TokenStore.encode(TokenStore.java:174)
> [org.apache.sling.auth.form:1.0.19.SNAPSHOT]
> at
> org.apache.sling.auth.form.impl.TokenStore.isValid(TokenStore.java:229)
> [org.apache.sling.auth.form:1.0.19.SNAPSHOT]
> at
> org.apache.sling.auth.form.impl.FormAuthenticationHandler.extractCredentials(FormAuthenticationHandler.java:195)
> [org.apache.sling.auth.form:1.0.19.SNAPSHOT]{noformat}
> (snip)
> This is easily preventable, as we should not be passing a null {{SecretKey}}
> further. Instead, we should log an ERROR and consider the cookie as invalid.
> Steps to reproduce:
> 1. Start up Sling Starter
> 2. Log in
> 3. Stop Sling Starter
> 4. Remove sling directory
> 5. Start Sling Starter
> 6. Visit front page
> Alternatively, save a Sling login cookie ( sling.formauth=... ) and send it
> via a curl call to a fresh instance of Sling.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
