Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-42799

Unable to impersonate users, when Java (JRE) provider has been changed during the time (for example from IBM to SUN/Oracle). "Unable to impersonate userId because the string cannot be decrypted" message occurs in the log starting from 6.1 GA2



      1- Start vanilla portal with an IBM JRE, for example (set JRE_HOME env. variable):

      java version "1.6.0"
      Java(TM) SE Runtime Environment (build pxi3260sr2-20080818_01(SR2))
      IBM J9 VM (build 2.4, J2RE 1.6.0 IBM J9 2.4 Linux x86-32 jvmxi3260-20080816_22093 (JIT enabled, AOT enabled)
      J9VM - 20080816_022093_lHdSMr
      JIT - r9_20080721_1330ifx2
      GC - 20080724_AA)
      JCL - 20080808_02

      2. Wait until the DB gets populated with default data
      3. Note the following WARN message in the log:

      15:18:38,024 WARN  [pool-2-thread-1][Encryptor:230] IBM JVM does not have com.sun.crypto.provider.SunJCE, using com.ibm.crypto.provider.IBMJCE instead

      4. Stop portal
      5. Change JRE_HOME to Sun/Oracle JRE
      6. Start potal
      7. Access portal. See the log:

      INFO: Server startup in 25727 ms
      15:20:20,417 INFO  [com.liferay.portal.plugin.PluginPackageUtil][PluginPackageUtil:1421] Checking for available updates
      15:20:20,418 INFO  [com.liferay.portal.plugin.PluginPackageUtil][PluginPackageUtil:1465] Finished checking for available updates in 1 ms
      15:20:20,738 WARN  [http-bio-6120-exec-1][Encryptor:130] Skip encrypting based on a null key
      15:20:25,271 WARN  [http-bio-6120-exec-6][Encryptor:130] Skip encrypting based on a null key
      15:20:27,960 WARN  [http-bio-6120-exec-7][Encryptor:130] Skip encrypting based on a null key
      15:21:59,366 WARN  [http-bio-6120-exec-1][Encryptor:130] Skip encrypting based on a null key
      15:22:05,743 WARN  [http-bio-6120-exec-1][Encryptor:130] Skip encrypting based on a null key
      15:22:10,510 WARN  [http-bio-6120-exec-1][Encryptor:130] Skip encrypting based on a null key
      15:22:10,544 WARN  [http-bio-6120-exec-1][Encryptor:130] Skip encrypting based on a null key

      This was added by LPS-27711.

      8. Go to Control Panel/Users & Organizations
      9. Create a new user
      10. Try to Impersonate the user. See the log

      15:22:15,793 WARN  [http-bio-6120-exec-1][PortalImpl:5937] Unable to impersonate 10502 because the string cannot be decrypted
      15:22:15,895 WARN  [http-bio-6120-exec-1][Encryptor:130] Skip encrypting based on a null key

      Result A new browser tab is opened, but the user is still authenicated as the admin

      === Technical Background
      1. Liferay stores the encryption key algorithm in the company table of the database. For this usecase, it is com.ibm.crypto.provider.DESKey. Each JVM generally has its own algorithm implementation. (Security Provider will be com.ibm.crypto.provider.IBMJCE & algorithm (DES, com.ibm.crypto.provider.DESKey) will be stored in Company.key_)
      2. CompanyLocalServiceImpl#checkCompanyKey(long companyId) cannot re-create the new key upon startup
      3. Company.keyObj will be null as the Classloader won't find the implementation:

      CompanyImpl.getKeyObj() calls Base64.stringToObject in "silent" mode, so the thrown ClassNotFoundException won't be logged.

      === Quick solution
      1. Stop protal
      2. Delete values of field "key_" in the Company table for each company
      3. Start portal
      Now, the CLSI#checkCompanyKey() will create the new "key" for each company using the appropriate Security Provider.


        Issue Links



              shitian.zhang Shitian "Shelton" Zhang (Inactive)
              tibor.lipusz Tibor Lipusz
              Kiyoshi Lee Kiyoshi Lee
              0 Vote for this issue
              5 Start watching this issue


                8 years, 51 weeks, 6 days ago


                  Version Package
                  6.1.X EE
                  6.2.4 CE GA5
                  6.2.X EE
                  7.0.0 M1