Hi, Sterinar, This is what I use to generate the key: openssl enc -aes-128-cbc -k secret -P -md sha256
Let me know if that works for you > On Apr 6, 2025, at 12:42 PM, Steinar Bang <s...@dod.no> wrote: > > I'm trying to finally get rid of annoying log messages like this (error > messages that have plagued me since I first started using shiro): > https://gist.github.com/steinarb/7c06c116620be8460d7d9e58c9a6e6d6 > > I have googled and found this old thing (from mr. Shiro himself, Brian > Demers): > https://stackoverflow.com/questions/59489303/caused-by-javax-crypto-badpaddingexception-given-final-block-not-properly-padd#comment105182482_59489303 > > The URL linked to in the above stackoverflow reploy no longer works, but > I think this is the current version of that URL: > https://shiro.apache.org/configuration.html#Configuration-INIConfiguration-Sections-Main-DefiningObject-SettingProperties-ByteArrayValues > > So far, so good! But what I don't get is what I should put into cipherkey? > > Or if this is an old answer and no longer relevant? > > I think the answer may no longer be relevant because chipherkey used to > be a constant and it hasn't been a constant since Shiro 1.2.5...? > https://www.tenable.com/plugins/nessus/159323 > > Back when the answer was given, I think the answer was: use any base64 > coded value pulled out of a hat, as long as it isn't the default one. > > But now, when I look at the securitymanager cipherkey in the debugger > there seems to be a different one on every startup...? > > So what is the correct thing to currently do to lose the log message in > the first URL? > > I'm currently using shiro 2.0.2, with rememberMe set to true on the > token and with a MemorySessionDAO. > > I am running my web applications in OSGi in apache karaf. Session and > Realm are OSGi services that injected into servletcontext components. > > The Realm OSGi service is provided by this OSGi component > https://github.com/steinarb/authservice/blob/master/authservice/authservice.web.security.dbrealm/src/main/java/no/priv/bang/authservice/web/security/dbrealm/AuthserviceDbRealm.java#L23 > > The Session OSGi service is provided by this OSGi component > https://github.com/steinarb/authservice/blob/master/authservice/authservice.web.security.memorysession/src/main/java/no/priv/bang/authservice/web/security/memorysession/MemorySession.java#L23 > > The shiro.ini files looks like this: > https://github.com/steinarb/authservice/blob/master/authservice/authservice.web.security/src/main/resources/shiro.ini > > The rest of the shiro setup looks like this: > https://github.com/steinarb/authservice/blob/master/authservice/authservice.web.security/src/main/java/no/priv/bang/authservice/web/security/AuthserviceShiroFilter.java#L65 > > Login looks like this: > https://github.com/steinarb/authservice/blob/master/authservice/authservice.web.security/src/main/java/no/priv/bang/authservice/web/security/resources/AuthserviceResource.java#L101 >
