Its worth mentioning this issue is related to the following from July: https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/RequestId|sort:date/cas-user/tm8aQrzKDbc/e4I2dkgVCQAJ https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/RequestId|sort:date/cas-user/iQSoUno6Bms/zrQf5Ex-CAAJ
I'd like to reiterate that patching the client is not a fix here, the core of 5.3 needs to be patched to gracefully accept a null RequestID as all previous versions of CAS have. On Monday, August 27, 2018 at 3:25:32 PM UTC-4, Josh G wrote: > > > CAS 5.3.x introduces a breaking change to how RequestIDs are handled when > validating SAML Services. > > *In 5.2.x (and all previous version of CAS), if the RequestID is not > present, it will gracefully fail by returning a null value:* > > > https://github.com/apereo/cas/blob/5.2.x/support/cas-server-support-saml/src/main/java/org/apereo/cas/support/saml/authentication/principal/SamlServiceFactory.java > > > > > requestId = extractRequestId(requestBody); > > /** > * Extract request id from the body. > * > * @param requestBody the request body > * @return the string > */ > private static String extractRequestId(final String requestBody) { > if (!requestBody.contains("RequestID")) { > LOGGER.debug("Request body does not contain a request id"); > return null; > } > > try { > final int position = requestBody.indexOf("RequestID=\"") + > CONST_REQUEST_ID_LENGTH; > final int nextPosition = requestBody.indexOf('"', position); > > return requestBody.substring(position, nextPosition); > } catch (final Exception e) { > LOGGER.debug("Exception parsing RequestID from request.", e); > return null; > } > } > > > > *In 5.3.x, if the RequestID is not present it will throw a > NullPointerException:* > > > https://github.com/apereo/cas/blob/5.3.x/support/cas-server-support-saml/src/main/java/org/apereo/cas/support/saml/authentication/principal/SamlServiceFactory.java#L63 > > > > > > > *@NonNullfinal Attribute requestIdAttribute = > requestChild.getAttribute("RequestID"); requestId = > requestIdAttribute.getValue();This change will break all versions of > apereo/mod_auth_cas (See: https://github.com/apereo/mod_auth_cas/issues/148 > <https://github.com/apereo/mod_auth_cas/issues/148>) along with any other > client that does not properly implement support for the RequestID > parameter.* > > This change should be reverted (this is as simple as removing the > @NonNull Lombok annotation so the request will failback to a null > response). Breaking every install of mod_auth_cas along with other legacy > clients cannot be considered acceptable. > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ad134531-d91c-4b13-a216-b3df6070b348%40apereo.org.
