I'm trying to finally get rid of annoying log messages like this (error messages that have plagued me since I first started using shiro): https://gist.github.com/steinarb/7c06c116620be8460d7d9e58c9a6e6d6
I have googled and found this old thing (from mr. Shiro himself, Brian Demers): https://stackoverflow.com/questions/59489303/caused-by-javax-crypto-badpaddingexception-given-final-block-not-properly-padd#comment105182482_59489303 The URL linked to in the above stackoverflow reploy no longer works, but I think this is the current version of that URL: https://shiro.apache.org/configuration.html#Configuration-INIConfiguration-Sections-Main-DefiningObject-SettingProperties-ByteArrayValues So far, so good! But what I don't get is what I should put into cipherkey? Or if this is an old answer and no longer relevant? I think the answer may no longer be relevant because chipherkey used to be a constant and it hasn't been a constant since Shiro 1.2.5...? https://www.tenable.com/plugins/nessus/159323 Back when the answer was given, I think the answer was: use any base64 coded value pulled out of a hat, as long as it isn't the default one. But now, when I look at the securitymanager cipherkey in the debugger there seems to be a different one on every startup...? So what is the correct thing to currently do to lose the log message in the first URL? I'm currently using shiro 2.0.2, with rememberMe set to true on the token and with a MemorySessionDAO. I am running my web applications in OSGi in apache karaf. Session and Realm are OSGi services that injected into servletcontext components. The Realm OSGi service is provided by this OSGi component https://github.com/steinarb/authservice/blob/master/authservice/authservice.web.security.dbrealm/src/main/java/no/priv/bang/authservice/web/security/dbrealm/AuthserviceDbRealm.java#L23 The Session OSGi service is provided by this OSGi component https://github.com/steinarb/authservice/blob/master/authservice/authservice.web.security.memorysession/src/main/java/no/priv/bang/authservice/web/security/memorysession/MemorySession.java#L23 The shiro.ini files looks like this: https://github.com/steinarb/authservice/blob/master/authservice/authservice.web.security/src/main/resources/shiro.ini The rest of the shiro setup looks like this: https://github.com/steinarb/authservice/blob/master/authservice/authservice.web.security/src/main/java/no/priv/bang/authservice/web/security/AuthserviceShiroFilter.java#L65 Login looks like this: https://github.com/steinarb/authservice/blob/master/authservice/authservice.web.security/src/main/java/no/priv/bang/authservice/web/security/resources/AuthserviceResource.java#L101
