or at least have a boolean that can be flipped to disable this. On Sunday, September 2, 2018 at 9:29:23 PM UTC-4, Josh G wrote: > > Its worth mentioning this issue is related to the following from July: > > > https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/RequestId|sort:date/cas-user/tm8aQrzKDbc/e4I2dkgVCQAJ > > https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/RequestId|sort:date/cas-user/iQSoUno6Bms/zrQf5Ex-CAAJ > > I'd like to reiterate that patching the client is not a fix here, the core > of 5.3 needs to be patched to gracefully accept a null RequestID as all > previous versions of CAS have. > > On Monday, August 27, 2018 at 3:25:32 PM UTC-4, Josh G wrote: >> >> >> CAS 5.3.x introduces a breaking change to how RequestIDs are handled when >> validating SAML Services. >> >> *In 5.2.x (and all previous version of CAS), if the RequestID is not >> present, it will gracefully fail by returning a null value:* >> >> >> https://github.com/apereo/cas/blob/5.2.x/support/cas-server-support-saml/src/main/java/org/apereo/cas/support/saml/authentication/principal/SamlServiceFactory.java >> >> >> >> >> requestId = extractRequestId(requestBody); >> >> /** >> * Extract request id from the body. >> * >> * @param requestBody the request body >> * @return the string >> */ >> private static String extractRequestId(final String requestBody) { >> if (!requestBody.contains("RequestID")) { >> LOGGER.debug("Request body does not contain a request id"); >> return null; >> } >> >> try { >> final int position = requestBody.indexOf("RequestID=\"") + >> CONST_REQUEST_ID_LENGTH; >> final int nextPosition = requestBody.indexOf('"', position); >> >> return requestBody.substring(position, nextPosition); >> } catch (final Exception e) { >> LOGGER.debug("Exception parsing RequestID from request.", e); >> return null; >> } >> } >> >> >> >> *In 5.3.x, if the RequestID is not present it will throw a >> NullPointerException:* >> >> >> https://github.com/apereo/cas/blob/5.3.x/support/cas-server-support-saml/src/main/java/org/apereo/cas/support/saml/authentication/principal/SamlServiceFactory.java#L63 >> >> >> >> >> >> >> *@NonNullfinal Attribute requestIdAttribute = >> requestChild.getAttribute("RequestID"); requestId = >> requestIdAttribute.getValue();This change will break all versions of >> apereo/mod_auth_cas (See: https://github.com/apereo/mod_auth_cas/issues/148 >> <https://github.com/apereo/mod_auth_cas/issues/148>) along with any other >> client that does not properly implement support for the RequestID >> parameter.* >> >> This change should be reverted (this is as simple as removing the >> @NonNull Lombok annotation so the request will failback to a null >> response). Breaking every install of mod_auth_cas along with other legacy >> clients cannot be considered acceptable. >> >
-- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/888c48ad-66ee-4d3e-9886-31dac618d858%40apereo.org.
