-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Keiichi,
On 12/25/18 02:33, Keiichi Fujino wrote: > 2018年12月23日(日) 2:10 Christopher Schultz > <ch...@christopherschultz.net>: > > Keiichi, > > On 12/21/18 02:58, Keiichi Fujino wrote: >>>> 2018年12月21日(金) 12:11 Christopher Schultz >>>> <ch...@christopherschultz.net>: >>>> >>>> Tim, >>>> >>>> On 12/20/18 10:18, Tim K wrote: >>>>>>>> >>>>>>>> I just downloaded and tried 9.0.14 but I'm still >>>>>>>> getting the same BadPaddingException upon starting >>>>>>>> the second instance. I confirmed the encryptionKey >>>>>>>> matches on my two instances. >>>>>>>> >>>>>>> >>>>>>> Maybe something is wrong with my config? For this >>>>>>> test, I have both Tomcats on the same server using >>>>>>> different ports: >>>> >>>> This is the only thing that matters to the encryption >>>> interceptor: >>>> >>>>>>> <Interceptor >>>>>>> className="org.apache.catalina.tribes.group.interceptors.Encrypt Int > >>>>>>> erc >>>> >>>>>>> > eptor" >>>>>>> >>>>>>> >>>> encryptionKey="e0f2cdf931e99fdce0453964294f97f3" /> >>>> >>>> I'm not sure if the order of encrypt/asyncdispatch >>>> interceptors matters much. >>>> >>>> >>>> >>>>> Hi. >>>> >>>>> The case of using TcpFailureDetector, there is a case to >>>>> write directly without passing through the interceptor >>>>> chain. >>>> >>>>> TcpFailureDetector#memberAlive writes the channel data >>>>> directly to outputstream without passing through the >>>>> interceptor chain. However, when receiving this channel >>>>> data, It passes through the interceptor chain. So, it must >>>>> be received by TcpFailureDetector before decrypt of >>>>> EncryptInterceptor. That is, the order is important. The >>>>> order is EncryptInterceptor -> TcpFailureDetector. > > How's this for an update to the EncryptInterceptor documentation: > > " If using the <code>TcpFailureDetector</code>, the > <code>EncryptInterceptor</code> <i>must</i> be inserted into the > interceptor chain <i>before</i> the > <code>TcpFailureDetector</code>. This is becuase the > <code>TcpFailureDetector</code> writes channel data directly > without using the remainder of the interceptor chain, but on the > receiving side, the message still goes through the chain (in > reverse). Because of this asymmetry, the > <code>EncryptInterceptor</code> must execute <i>before</i> the > <code>TcpFailureDetector</code> on the sender and <i>after</i> it > on the receiver. " > > >> Hi Chris. > >> Writing channel data directly is only for member verification. >> Normal message are sent/received via the interceptor chain. So, >> It may be better to add a sentence that interprets that writing >> channel data directly is only for member verification. such as, >> "When TcpFailureDetector validates cluster members..." etc. How about this: " If using the <code>TcpFailureDetector</code>, the <code>EncryptInterceptor</code> <i>must</i> be inserted into the interceptor chain <i>before</i> the <code>TcpFailureDetector</code>. This is becuase when validating cluster members, <code>TcpFailureDetector</code> writes channel data directly to the other members without using the remainder of the interceptor chai n, but on the receiving side, the message still goes through the chain (in reverse). Because of this asymmetry, the <code>EncryptInterceptor</code> must execute <i>before</i> the <code>TcpFailureDetector</code> on the sender and <i>after</i> it on the receiver, otherwise message corruption will occur. " - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlwo1DkACgkQHPApP6U8 pFj5RxAAhhhMiY//Q5JqJOUSD4whffm64N0jlq1tpmQzVp5bU9Xu6qL36aelFZMP YH4VTQOvWwcPDyYBirix1feBBYWTIfIHCGtRw26fWj7OilE+EouiMM1gVPyfKSqj LdrTlDpTzQ7LeZdukkYKIDNpaI02k9EbeYWCNi3AHIp3YCB0dX3XnpN4dmnm7lsw idwc8B2ExmkdSqy/4Yzn21IIia2DSfAA8BrdHlwlWiAF8VQZyVMO/gkeXk4HQ4Fg jwKdRtZxNcwyMW4o2S2owYNFdd85pNyPiFihTS7M0+WHoLHRO29kR/c0yeVlBfCf AijiVpTjKyYZ/Al0cavuBRDty5Cg0AEX0DDwj1PvxUQ+i1Teiv3Y7f8IhpEnwmFI AFoVFN3lghJ5U/cMkm+TzDjwME2TbTup35zabclzNTpDx7EKjPve66MJmOs4xxoJ jtKepyt9W5z9/FlhAvxxrLJjj5T3LJSqBrtSw+YUlj0DKqrW92sxf5s3hHoy4tkH Fji36KYx8Sryj+jQsyd+w7YlZHZ7A6W7wRIKBtqc/zxECowHSD5Q2fpqC9hUTMfN TB9JPhFvwOBRgDWp5UWTT3JHidOQSiL/0OFdvW2d5RutZq424MpY2gObFJIoRYMp uRIwO+AU7kyt6kkSYpN/dShScGOJ8sdX0TBK2K9CyrbK8OD5H4U= =y0zP -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
