It looks like this is patched in the latest 5.3.x branch! Big thanks to Misagh Moayyed! We will validate on the next release.
https://github.com/apereo/cas/blob/5.3.x/support/cas-server-support-saml/src/main/java/org/apereo/cas/support/saml/authentication/principal/SamlServiceFactory.java#L63 On Friday, September 7, 2018 at 7:12:54 AM UTC-4, Josh G wrote: > > I agree. That would work just as well. > > We're now stuck at 5.2.x and cannot move forward until this is patched. We > have too many external vendor integrations that are impacted by this. > > On Thursday, September 6, 2018 at 4:04:15 PM UTC-4, Curtis Ruck wrote: >> >> or at least have a boolean that can be flipped to disable this. >> >> On Sunday, September 2, 2018 at 9:29:23 PM UTC-4, Josh G wrote: >>> >>> Its worth mentioning this issue is related to the following from July: >>> >>> >>> https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/RequestId|sort:date/cas-user/tm8aQrzKDbc/e4I2dkgVCQAJ >>> >>> https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/RequestId|sort:date/cas-user/iQSoUno6Bms/zrQf5Ex-CAAJ >>> >>> I'd like to reiterate that patching the client is not a fix here, the >>> core of 5.3 needs to be patched to gracefully accept a null RequestID as >>> all previous versions of CAS have. >>> >>> On Monday, August 27, 2018 at 3:25:32 PM UTC-4, Josh G wrote: >>>> >>>> >>>> CAS 5.3.x introduces a breaking change to how RequestIDs are handled >>>> when validating SAML Services. >>>> >>>> *In 5.2.x (and all previous version of CAS), if the RequestID is not >>>> present, it will gracefully fail by returning a null value:* >>>> >>>> >>>> https://github.com/apereo/cas/blob/5.2.x/support/cas-server-support-saml/src/main/java/org/apereo/cas/support/saml/authentication/principal/SamlServiceFactory.java >>>> >>>> >>>> >>>> >>>> requestId = extractRequestId(requestBody); >>>> >>>> /** >>>> * Extract request id from the body. >>>> * >>>> * @param requestBody the request body >>>> * @return the string >>>> */ >>>> private static String extractRequestId(final String requestBody) { >>>> if (!requestBody.contains("RequestID")) { >>>> LOGGER.debug("Request body does not contain a request id"); >>>> return null; >>>> } >>>> >>>> try { >>>> final int position = requestBody.indexOf("RequestID=\"") + >>>> CONST_REQUEST_ID_LENGTH; >>>> final int nextPosition = requestBody.indexOf('"', position); >>>> >>>> return requestBody.substring(position, nextPosition); >>>> } catch (final Exception e) { >>>> LOGGER.debug("Exception parsing RequestID from request.", e); >>>> return null; >>>> } >>>> } >>>> >>>> >>>> >>>> *In 5.3.x, if the RequestID is not present it will throw a >>>> NullPointerException:* >>>> >>>> >>>> https://github.com/apereo/cas/blob/5.3.x/support/cas-server-support-saml/src/main/java/org/apereo/cas/support/saml/authentication/principal/SamlServiceFactory.java#L63 >>>> >>>> >>>> >>>> >>>> >>>> >>>> *@NonNullfinal Attribute requestIdAttribute = >>>> requestChild.getAttribute("RequestID"); requestId = >>>> requestIdAttribute.getValue();This change will break all versions of >>>> apereo/mod_auth_cas (See: >>>> https://github.com/apereo/mod_auth_cas/issues/148 >>>> <https://github.com/apereo/mod_auth_cas/issues/148>) along with any other >>>> client that does not properly implement support for the RequestID >>>> parameter.* >>>> >>>> This change should be reverted (this is as simple as removing the >>>> @NonNull Lombok annotation so the request will failback to a null >>>> response). Breaking every install of mod_auth_cas along with other legacy >>>> clients cannot be considered acceptable. >>>> >>> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1c1e4fe9-3461-49d8-80e9-3b36ddfef9ae%40apereo.org.
