*/
    protected void offerEncryptoCipher(final Cipher cipher) {
        encryptoQueue.offer(cipher);
    }

    /**
     * Polls a decryption cipher from the queue, creating a new one if none are available.
     *
     * @return a decryption cipher
     */
    protected Cipher pollDecryptoCipher() {
        Cipher cipher = decryptoQueue.poll();
        if (cipher == null) {
            try {

    /**
     * The key for user roles in the request attribute.
     */
    protected static final String USER_ROLES = "userRoles";

    /**
     * The cached cipher for encryption and decryption.
     */
    protected CachedCipher cipher;

    /**
     * The separator for values in the role string.
     */
    protected String valueSeparator = "\n";

    /**

## Changelog since v1.32.3

## Changes by Kind

### Bug or Regression

- Fix a bug where kube-apiserver could emit an further watch even even if decryption failed for earlier event and it was not emitted. ([#131159](https://github.com/kubernetes/kubernetes/pull/131159), [@wojtek-t](https://github.com/wojtek-t)) [SIG API Machinery and Etcd]

- Fix a bug where kube-apiserver could emit an further watch even even if decryption failed for earlier event and it was not emitted. ([#131020](https://github.com/kubernetes/kubernetes/pull/131020), [@wojtek-t](https://github.com/wojtek-t)) [SIG API Machinery and Etcd]

## Changelog since v1.31.7

## Changes by Kind

### Bug or Regression

- Fix a bug where kube-apiserver could emit an further watch even even if decryption failed for earlier event and it was not emitted. ([#131160](https://github.com/kubernetes/kubernetes/pull/131160), [@wojtek-t](https://github.com/wojtek-t)) [SIG API Machinery and Etcd]