[WICKET-6253] Redirect url parameters decoded - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Won't Fix
Affects Version/s: 6.16.0
Fix Version/s: None
Component/s: wicket
Labels:
- encode
- parameters
- redirect
- saml
- servlet

Description

When redirecting to an external url using RedirectToUrlException, org.apache.wicket.protocol.http.servlet.ServletWebResponse.encodeRedirectURL() changes the location. Decodes the parameters but encode does not give the same result.

SAMLv2 (opensaml) generates authentication request and signs it, IDP fails to validate signature as parameters have changed. Example:

http://example.host/sso/login/redirect?SAMLRequest=XYZ&RelayState=%2Fcomeback%2Fhere&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=XYZ

ServletWebResponse .encodeRedirectURL() changes it to:

http://example.host/sso/login/redirect?SAMLRequest=XYZ&RelayState=/comeback/here&SigAlg=http://www.w3.org/2000/09/xmldsig#rsa-sha1&Signature=XYZ

diff where change was created:
http://grepcode.com/file_/repo1.maven.org/maven2/org.apache.wicket/wicket-core/6.16.0/org/apache/wicket/protocol/http/servlet/ServletWebResponse.java/?v=diff&id2=6.15.0

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

wicket6253.zip
05/Oct/16 07:24
22 kB
Viktor Durica

Issue Links

is broken by

WICKET-5582 ServletWebResponse#encodeUrl() makes absolute Urls relative

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Viktor Durica

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 04/Oct/16 14:37

Updated:: 31/Oct/16 20:10

Resolved:: 31/Oct/16 20:10