CAS 5.3.x introduces a breaking change to how RequestIDs are handled when validating SAML Services.
*In 5.2.x (and all previous version of CAS), if the RequestID is not present, it will gracefully fail by returning a null value:* https://github.com/apereo/cas/blob/5.2.x/support/cas-server-support-saml/src/main/java/org/apereo/cas/support/saml/authentication/principal/SamlServiceFactory.java requestId = extractRequestId(requestBody); /** * Extract request id from the body. * * @param requestBody the request body * @return the string */ private static String extractRequestId(final String requestBody) { if (!requestBody.contains("RequestID")) { LOGGER.debug("Request body does not contain a request id"); return null; } try { final int position = requestBody.indexOf("RequestID=\"") + CONST_REQUEST_ID_LENGTH; final int nextPosition = requestBody.indexOf('"', position); return requestBody.substring(position, nextPosition); } catch (final Exception e) { LOGGER.debug("Exception parsing RequestID from request.", e); return null; } } *In 5.3.x, if the RequestID is not present it will throw a NullPointerException:* https://github.com/apereo/cas/blob/5.3.x/support/cas-server-support-saml/src/main/java/org/apereo/cas/support/saml/authentication/principal/SamlServiceFactory.java#L63 *@NonNullfinal Attribute requestIdAttribute = requestChild.getAttribute("RequestID"); requestId = requestIdAttribute.getValue();This change will break all versions of apereo/mod_auth_cas (See: https://github.com/apereo/mod_auth_cas/issues/148) along with any other client that does not properly implement support for the RequestID parameter.* This change should be reverted (this is as simple as removing the @NonNull Lombok annotation so the request will failback to a null response). Breaking every install of mod_auth_cas along with other legacy clients cannot be considered acceptable. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/bb707ba1-3a60-4cb8-beff-17997dccb514%40apereo.org.
