Bug 977761 - PLINK2-25 characterEncoding parameter not used in for Post Requests in ServiceProviderAuthenticator
Summary: PLINK2-25 characterEncoding parameter not used in for Post Requests in Servic...
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: PicketLink
Version: 6.1.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: ---
Assignee: Tom Fonteyne
QA Contact: Josef Cacek
URL:
Whiteboard:
Depends On:
Blocks: 977766
TreeView+ depends on / blocked
 
Reported: 2013-06-25 09:35 UTC by Tom Fonteyne
Modified: 2013-12-15 12:45 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A timing issue was found in Picketlink which resulted in parameters being read from post requests in the ServiceProviderAuthenticator using the default encoding instead of the desired encoding. The issue was caused when PicketLink read its parameters before the Tomcat valve had set the encoding. To resolve this issue the encoding has been moved so that it is the very first step in the `authenticate` method.
Clone Of:
Environment:
Last Closed: 2013-06-25 12:03:19 UTC
Type: Bug


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Apache JIRA PLINK2-25 0 None None None Never

Description Tom Fonteyne 2013-06-25 09:35:55 UTC
PicketLink:

picketlink-bindings/picketlink-tomcat-common/src/main/java/org/picketlink/identity/federation/bindings/tomcat/sp/AbstractSPFormAuthenticator.java

The authenticate(..) method read parameters from the request before the character encoding is set by it's super method.
By the time super sets it, it's to late and application will be using the wrong encoding.


265 public boolean authenticate(Request request, Response response, LoginConfig loginConfig) throws IOException {
...
282 String samlRequest = request.getParameter(GeneralConstants.SAML_REQUEST_KEY);
283 String samlResponse = request.getParameter(GeneralConstants.SAML_RESPONSE_KEY);
...
306 return localAuthentication(request, response, loginConfig);

which in turn does:

337 return super.authenticate(request, response, loginConfig);

and the tomcat valve:

if (characterEncoding != null) {
request.setCharacterEncoding(characterEncoding);

So PicketLink read its parameters before the tomcat valve has a chance to set the encoding by which time it's to late.

Solution:

Add:

if (characterEncoding != null) {
request.setCharacterEncoding(characterEncoding);
}

as the first action in the PicketLink authenticate(..) method

Comment 1 Tom Fonteyne 2013-06-25 09:40:16 UTC
resolved in PicketLink 2.1.8

Will mark this bug as resolved once the pull-request is merged.

https://github.com/picketlink2/federation/pull/184

Comment 2 Russell Dickenson 2013-11-21 01:02:34 UTC
Release notes text added for inclusion in the JBoss EAP 6.2.0 Release Notes.


Note You need to log in before you can comment on or make changes to this bug.