Uploaded image for project: 'Wicket'
  1. Wicket
  2. WICKET-6253

Redirect url parameters decoded

    XMLWordPrintableJSON

    Details

      Description

      When redirecting to an external url using RedirectToUrlException, org.apache.wicket.protocol.http.servlet.ServletWebResponse.encodeRedirectURL() changes the location. Decodes the parameters but encode does not give the same result.

      SAMLv2 (opensaml) generates authentication request and signs it, IDP fails to validate signature as parameters have changed. Example:

      http://example.host/sso/login/redirect?SAMLRequest=XYZ&RelayState=%2Fcomeback%2Fhere&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=XYZ

      ServletWebResponse .encodeRedirectURL() changes it to:

      http://example.host/sso/login/redirect?SAMLRequest=XYZ&RelayState=/comeback/here&SigAlg=http://www.w3.org/2000/09/xmldsig#rsa-sha1&Signature=XYZ

      diff where change was created:
      http://grepcode.com/file_/repo1.maven.org/maven2/org.apache.wicket/wicket-core/6.16.0/org/apache/wicket/protocol/http/servlet/ServletWebResponse.java/?v=diff&id2=6.15.0

        Attachments

        1. wicket6253.zip
          22 kB
          Viktor Durica

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                viktor.durica Viktor Durica
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: