Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-42799

Unable to impersonate users, when Java (JRE) provider has been changed during the time (for example from IBM to SUN/Oracle). "Unable to impersonate userId because the string cannot be decrypted" message occurs in the log starting from 6.1 GA2

    Details

      Description

      1- Start vanilla portal with an IBM JRE, for example (set JRE_HOME env. variable):

      java version "1.6.0"
      Java(TM) SE Runtime Environment (build pxi3260sr2-20080818_01(SR2))
      IBM J9 VM (build 2.4, J2RE 1.6.0 IBM J9 2.4 Linux x86-32 jvmxi3260-20080816_22093 (JIT enabled, AOT enabled)
      J9VM - 20080816_022093_lHdSMr
      JIT - r9_20080721_1330ifx2
      GC - 20080724_AA)
      JCL - 20080808_02
      

      2. Wait until the DB gets populated with default data
      3. Note the following WARN message in the log:

      15:18:38,024 WARN  [pool-2-thread-1][Encryptor:230] IBM JVM does not have com.sun.crypto.provider.SunJCE, using com.ibm.crypto.provider.IBMJCE instead
      

      4. Stop portal
      5. Change JRE_HOME to Sun/Oracle JRE
      6. Start potal
      7. Access portal. See the log:

      INFO: Server startup in 25727 ms
      15:20:20,417 INFO  [com.liferay.portal.plugin.PluginPackageUtil][PluginPackageUtil:1421] Checking for available updates
      15:20:20,418 INFO  [com.liferay.portal.plugin.PluginPackageUtil][PluginPackageUtil:1465] Finished checking for available updates in 1 ms
      15:20:20,738 WARN  [http-bio-6120-exec-1][Encryptor:130] Skip encrypting based on a null key
      15:20:25,271 WARN  [http-bio-6120-exec-6][Encryptor:130] Skip encrypting based on a null key
      15:20:27,960 WARN  [http-bio-6120-exec-7][Encryptor:130] Skip encrypting based on a null key
      15:21:59,366 WARN  [http-bio-6120-exec-1][Encryptor:130] Skip encrypting based on a null key
      15:22:05,743 WARN  [http-bio-6120-exec-1][Encryptor:130] Skip encrypting based on a null key
      15:22:10,510 WARN  [http-bio-6120-exec-1][Encryptor:130] Skip encrypting based on a null key
      15:22:10,544 WARN  [http-bio-6120-exec-1][Encryptor:130] Skip encrypting based on a null key
      

      This was added by LPS-27711.

      8. Go to Control Panel/Users & Organizations
      9. Create a new user
      10. Try to Impersonate the user. See the log

      15:22:15,793 WARN  [http-bio-6120-exec-1][PortalImpl:5937] Unable to impersonate 10502 because the string cannot be decrypted
      15:22:15,895 WARN  [http-bio-6120-exec-1][Encryptor:130] Skip encrypting based on a null key
      

      Result A new browser tab is opened, but the user is still authenicated as the admin

      === Technical Background
      1. Liferay stores the encryption key algorithm in the company table of the database. For this usecase, it is com.ibm.crypto.provider.DESKey. Each JVM generally has its own algorithm implementation. (Security Provider will be com.ibm.crypto.provider.IBMJCE & algorithm (DES, com.ibm.crypto.provider.DESKey) will be stored in Company.key_)
      2. CompanyLocalServiceImpl#checkCompanyKey(long companyId) cannot re-create the new key upon startup
      3. Company.keyObj will be null as the Classloader won't find the implementation:

      CompanyImpl.getKeyObj() calls Base64.stringToObject in "silent" mode, so the thrown ClassNotFoundException won't be logged.

      === Quick solution
      1. Stop protal
      2. Delete values of field "key_" in the Company table for each company
      3. Start portal
      Now, the CLSI#checkCompanyKey() will create the new "key" for each company using the appropriate Security Provider.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  5 years, 43 weeks, 6 days ago

                  Packages

                  Version Package
                  6.1.X EE
                  6.2.4 CE GA5
                  6.2.X EE
                  7.0.0 M1