-
Type:
Bug
-
Status: Closed
-
Resolution: Fixed
-
Affects Version/s: 6.0.12 EE, 6.1.1 CE GA2, 6.1.2 CE GA3, 6.1.20 EE GA2, 6.1.30 EE GA3, 6.2.0 CE GA1, 6.2.10 EE GA1
-
Fix Version/s: 6.1.X EE, 6.2.4 CE GA5, 6.2.X EE, 7.0.0 M1
-
Component/s: Legacy Components, Legacy Components > API, User Management
-
Environment:JAVA VIRTUAL MACHINE 1: IBM
JAVA VIRTUAL MACHINE 2: SUN/Oracle
-
Branch Version/s:6.2.x, 6.1.x
-
Backported to Branch:Committed
-
Story Points:8
-
Fix Priority:4
-
Git Pull Request:
1- Start vanilla portal with an IBM JRE, for example (set JRE_HOME env. variable):
java version "1.6.0" Java(TM) SE Runtime Environment (build pxi3260sr2-20080818_01(SR2)) IBM J9 VM (build 2.4, J2RE 1.6.0 IBM J9 2.4 Linux x86-32 jvmxi3260-20080816_22093 (JIT enabled, AOT enabled) J9VM - 20080816_022093_lHdSMr JIT - r9_20080721_1330ifx2 GC - 20080724_AA) JCL - 20080808_02
2. Wait until the DB gets populated with default data
3. Note the following WARN message in the log:
15:18:38,024 WARN [pool-2-thread-1][Encryptor:230] IBM JVM does not have com.sun.crypto.provider.SunJCE, using com.ibm.crypto.provider.IBMJCE instead
4. Stop portal
5. Change JRE_HOME to Sun/Oracle JRE
6. Start potal
7. Access portal. See the log:
INFO: Server startup in 25727 ms 15:20:20,417 INFO [com.liferay.portal.plugin.PluginPackageUtil][PluginPackageUtil:1421] Checking for available updates 15:20:20,418 INFO [com.liferay.portal.plugin.PluginPackageUtil][PluginPackageUtil:1465] Finished checking for available updates in 1 ms 15:20:20,738 WARN [http-bio-6120-exec-1][Encryptor:130] Skip encrypting based on a null key 15:20:25,271 WARN [http-bio-6120-exec-6][Encryptor:130] Skip encrypting based on a null key 15:20:27,960 WARN [http-bio-6120-exec-7][Encryptor:130] Skip encrypting based on a null key 15:21:59,366 WARN [http-bio-6120-exec-1][Encryptor:130] Skip encrypting based on a null key 15:22:05,743 WARN [http-bio-6120-exec-1][Encryptor:130] Skip encrypting based on a null key 15:22:10,510 WARN [http-bio-6120-exec-1][Encryptor:130] Skip encrypting based on a null key 15:22:10,544 WARN [http-bio-6120-exec-1][Encryptor:130] Skip encrypting based on a null key
This was added by LPS-27711.
8. Go to Control Panel/Users & Organizations
9. Create a new user
10. Try to Impersonate the user. See the log
15:22:15,793 WARN [http-bio-6120-exec-1][PortalImpl:5937] Unable to impersonate 10502 because the string cannot be decrypted
15:22:15,895 WARN [http-bio-6120-exec-1][Encryptor:130] Skip encrypting based on a null key
Result A new browser tab is opened, but the user is still authenicated as the admin
=== Technical Background
1. Liferay stores the encryption key algorithm in the company table of the database. For this usecase, it is com.ibm.crypto.provider.DESKey. Each JVM generally has its own algorithm implementation. (Security Provider will be com.ibm.crypto.provider.IBMJCE & algorithm (DES, com.ibm.crypto.provider.DESKey) will be stored in Company.key_)
2. CompanyLocalServiceImpl#checkCompanyKey(long companyId) cannot re-create the new key upon startup
3. Company.keyObj will be null as the Classloader won't find the implementation:
CompanyImpl.getKeyObj() calls Base64.stringToObject in "silent" mode, so the thrown ClassNotFoundException won't be logged.
=== Quick solution
1. Stop protal
2. Delete values of field "key_" in the Company table for each company
3. Start portal
Now, the CLSI#checkCompanyKey() will create the new "key" for each company using the appropriate Security Provider.
- relates
-
LPE-10213 Unable to impersonate users when JRE provided has been changed
-
- Closed
-