JSF“错误 Mac 未验证！” [复制]

Question

我一直在尝试用 jsf 中的 primefaces 实现一些基本的推送功能。我在那里使用了反例http://www.primefaces.org/showcase-labs/push/counter.jsf。本质上它是一个增加共享计数器的按钮。运行此示例时，我总是收到此错误：

ERROR: MAC did not verify!

我的理解是，每个会话都会生成一个 mac，然后检查每条传入的消息以验证源没有改变（我认为）。我一直无法找到导致此问题的原因并查看了其他线程，例如：

ERROR: MAC did not verify! PrimeFaces

JSF: Mojarra 2.1 to 2.2 migration causing ViewExpiredException

不幸的是，这些并没有解决我的问题。两者似乎都是由我没有得到的 ViewExpiredException 引起的。我发现阻止它的唯一方法是在 web.xml 中将状态保存方法从客户端更改为服务器：

<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>client</param-value>

但是，当这样做时，计数器不再共享，而是似乎是每个用户的，这不是我想要的。我的最终目标是实现一个聊天室，它大部分都在那里，但现在它使用短轮询，这不是很可扩展。看过 primefaces push 我认为它会很理想，但一直在努力使用它。

我在多个 Web 服务器（Tomcat、Jetty 和 Glassfish）上进行了尝试，并尝试使用不同版本的 JSF (Mojarra) 和 primefaces 版本（3.4 和 4.0）。我已经在多个浏览器和多台计算机上对其进行了测试。有时我可以在收到错误之前将计数器增加几次，有时它会立即发生。我没有任何异常或服务器错误，并且一切都可以编译。我还想提一下，我之前在其他项目上也遇到过这个错误，但是在重新启动服务器后它就消失了。当使用 primefaces push 时，它总是会发生。任何帮助将不胜感激。

编辑

当在 web.xml 中将状态保存到服务器以避免 MAC 错误时，我注意到共享计数器在同一台机器的每个浏览器基础上工作。这意味着如果我有多个选项卡或窗口，则在一次更新中更新计数器。但它不适用于跨浏览器，firefox 中计数器的更改不会反映在 chrome 或 IE 中，或者反之亦然。如果在两台单独的计算机上也不会反映出来。我不知道这是否有帮助，但我想我会提到它。

编辑

在注意到示例中的 bean 是会话作用域后，我将其更改为应用程序作用域。当然，会话范围意味着每个浏览器都有自己的副本。现在，这些变化反映在浏览器和机器上。回到我原来的问题，我仍然想知道为什么将保存状态更改为服务器会修复 MAC 错误，这意味着什么？我假设服务器现在必须维护每个会话而不是客户端的视图状态，可扩展性更低/客户端-服务器流量更多？根据我的阅读，如果您将保存状态设置为服务器，您将无法检查视图过期异常或阻止用户创建视图（如果他们已经有太多视图），这是正确的吗？

Answer 1

您的应用程序似乎存在依赖问题 ViewExpiredException 可以轻松处理，没问题 handle ViewExpiredException

完整配置的 JSF 项目示例JSF2.2 frontend

Answer 2

ByteArrayGuard 类随机输出“错误：MAC 未验证！”到错误控制台的消息。这仅在启用客户端视图状态加密并且多个客户端针对服务器运行时才会发生。

因此，您必须在 Java Server Faces 引用中更改该类...

/*
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
 *
 * Copyright (c) 1997-2011 Oracle and/or its affiliates. All rights reserved.
 *
 * The contents of this file are subject to the terms of either the GNU
 * General Public License Version 2 only ("GPL") or the Common Development
 * and Distribution License("CDDL") (collectively, the "License").  You
 * may not use this file except in compliance with the License.  You can
 * obtain a copy of the License at
 * https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
 * or packager/legal/LICENSE.txt.  See the License for the specific
 * language governing permissions and limitations under the License.
 *
 * When distributing the software, include this License Header Notice in each
 * file and include the License file at packager/legal/LICENSE.txt.
 *
 * GPL Classpath Exception:
 * Oracle designates this particular file as subject to the "Classpath"
 * exception as provided by Oracle in the GPL Version 2 section of the License
 * file that accompanied this code.
 *
 * Modifications:
 * If applicable, add the following below the License Header, with the fields
 * enclosed by brackets [] replaced by your own identifying information:
 * "Portions Copyright [year] [name of copyright owner]"
 *
 * Contributor(s):
 * If you wish your version of this file to be governed by only the CDDL or
 * only the GPL Version 2, indicate your decision by adding "[Contributor]
 * elects to include this software in this distribution under the [CDDL or GPL
 * Version 2] license."  If you don't indicate a single choice of license, a
 * recipient has the option to distribute your version of this file under
 * either the CDDL, the GPL Version 2 or to extend the choice of license to
 * its licensees as provided above.  However, if you add GPL Version 2 code
 * and therefore, elected the GPL Version 2 license, then the option applies
 * only if the new code is made subject to such option by the copyright
 * holder.
 */

package com.sun.faces.renderkit;

import com.sun.faces.util.FacesLogger;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import javax.faces.FacesException;

/**
 * <p>This utility class is to provide both encryption and
 * decryption <code>Ciphers</code> to <code>ResponseStateManager</code>
 * implementations wishing to provide encryption support.</p>
 * 
 * <p>The algorithm used to encrypt byte array is AES with CBC.</p>
 *  
 * <p>Original author Inderjeet Singh, J2EE Blue Prints Team. Modified to suit JSF
 * needs.</p> 
 */
public final class ByteArrayGuard {


     // Log instance for this class
    private static final Logger LOGGER = FacesLogger.RENDERKIT.getLogger();

    private static final int MAC_LENGTH = 32;
    private static final int KEY_LENGTH = 128;
    private static final int IV_LENGTH = 16;

    private static final String KEY_ALGORITHM = "AES";
    private static final String CIPHER_CODE = "AES/CBC/PKCS5Padding";
    private static final String MAC_CODE = "HmacSHA256";
    private SecretKey sk;

    // ------------------------------------------------------------ Constructors

    public ByteArrayGuard() {

        try {
            setupKeyAndMac();
        } catch (Exception e) {
            if (LOGGER.isLoggable(Level.SEVERE)) { 
                LOGGER.log(Level.SEVERE,
                           "Unexpected exception initializing encryption."
                           + "  No encryption will be performed.",
                           e);
            }
            System.err.println("ERROR: Initializing Ciphers");
        }
    }

    // ---------------------------------------------------------- Public Methods    


    /**
     * This method:
     *    Encrypts bytes using a cipher.  
     *    Generates MAC for intialization vector of the cipher
     *    Generates MAC for encrypted data
     *    Returns a byte array consisting of the following concatenated together:
     *       |MAC for cnrypted Data | MAC for Init Vector | Encrypted Data |
     * @param bytes The byte array to be encrypted.
     * @return the encrypted byte array.
     */
    public byte[] encrypt(byte[] bytes) {
        byte[] securedata = null;
        try {
            // Generate IV
            SecureRandom rand = new SecureRandom();
            byte[] iv = new byte[16];
            rand.nextBytes(iv);
            IvParameterSpec ivspec = new IvParameterSpec(iv);
            Cipher encryptCipher = Cipher.getInstance(CIPHER_CODE);
            encryptCipher.init(Cipher.ENCRYPT_MODE, sk, ivspec);
            Mac encryptMac = Mac.getInstance(MAC_CODE);
            encryptMac.init(sk);
            encryptMac.update(iv);
            // encrypt the plaintext
            byte[] encdata = encryptCipher.doFinal(bytes);
            byte[] macBytes = encryptMac.doFinal(encdata);
            byte[] tmp = concatBytes(macBytes, iv);
            securedata = concatBytes(tmp, encdata);
        } catch (Exception e) {
            if (LOGGER.isLoggable(Level.SEVERE)) {
                LOGGER.log(Level.SEVERE,
                           "Unexpected exception initializing encryption."
                           + "  No encryption will be performed.",
                           e);
            }
            return null;
        }
        return securedata;
    }

    /**
     * This method decrypts the provided byte array.
     * The decryption is only performed if the regenerated MAC
     * is the same as the MAC for the received value.
     * @param bytes Encrypted byte array to be decrypted.
     * @return Decrypted byte array.
     */
    public byte[] decrypt(byte[] bytes) {
        try {
            // Extract MAC
            byte[] macBytes = new byte[MAC_LENGTH];
            System.arraycopy(bytes, 0, macBytes, 0, macBytes.length);

            // Extract IV
            byte[] iv = new byte[IV_LENGTH];
            System.arraycopy(bytes, macBytes.length, iv, 0, iv.length);

            // Extract encrypted data
            byte[] encdata = new byte[bytes.length - macBytes.length - iv.length];
            System.arraycopy(bytes, macBytes.length + iv.length, encdata, 0, encdata.length);

            IvParameterSpec ivspec = new IvParameterSpec(iv);
            Cipher decryptCipher = Cipher.getInstance(CIPHER_CODE);
            decryptCipher.init(Cipher.DECRYPT_MODE, sk, ivspec);

            // verify MAC by regenerating it and comparing it with the received value
            Mac decryptMac = Mac.getInstance(MAC_CODE);
            decryptMac.init(sk);
            decryptMac.update(iv);
            decryptMac.update(encdata);
            byte[] macBytesCalculated = decryptMac.doFinal();
            if (Arrays.equals(macBytes, macBytesCalculated)) {
                // continue only if the MAC was valid
                // System.out.println("Valid MAC found!");
                byte[] plaindata = decryptCipher.doFinal(encdata);
                return plaindata;
            } else {
                System.err.println("ERROR: MAC did not verify!");
                return null;
            }
        } catch (Exception e) {
            System.err.println("ERROR: Decrypting:"+e.getCause());
            return null; // Signal to JSF runtime
        }
    }

    // --------------------------------------------------------- Private Methods

    /**
     * Generates secret key.
     * Initializes MAC(s).
     */
    private void setupKeyAndMac() {

        try {
            KeyGenerator kg = KeyGenerator.getInstance(KEY_ALGORITHM);
            kg.init(KEY_LENGTH);   // 256 if you're using the Unlimited Policy Files
            sk = kg.generateKey(); 

        } catch (Exception e) {
            throw new FacesException(e);
        }
    }

    /**
     * This method concatenates two byte arrays
     * @return a byte array of array1||array2
     * @param array1 first byte array to be concatenated
     * @param array2 second byte array to be concatenated
     */
    private static byte[] concatBytes(byte[] array1, byte[] array2) {
        byte[] cBytes = new byte[array1.length + array2.length];
        try {
            System.arraycopy(array1, 0, cBytes, 0, array1.length);
            System.arraycopy(array2, 0, cBytes, array1.length, array2.length);
        } catch(Exception e) {
            throw new FacesException(e);
        }
        return cBytes;
    }    
}

然后重新加载这个 jar。 JSF_REFERENCE