I agree. That would work just as well. 

We're now stuck at 5.2.x and cannot move forward until this is patched. We 
have too many external vendor integrations that are impacted by this. 

On Thursday, September 6, 2018 at 4:04:15 PM UTC-4, Curtis Ruck wrote:
>
> or at least have a boolean that can be flipped to disable this.
>
> On Sunday, September 2, 2018 at 9:29:23 PM UTC-4, Josh G wrote:
>>
>> Its worth mentioning this issue is related to the following from July:
>>
>>
>> https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/RequestId|sort:date/cas-user/tm8aQrzKDbc/e4I2dkgVCQAJ
>>
>> https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/RequestId|sort:date/cas-user/iQSoUno6Bms/zrQf5Ex-CAAJ
>>
>> I'd like to reiterate that patching the client is not a fix here, the 
>> core of 5.3 needs to be patched to gracefully accept a null RequestID as 
>> all previous versions of CAS have.
>>
>> On Monday, August 27, 2018 at 3:25:32 PM UTC-4, Josh G wrote:
>>>
>>>
>>> CAS 5.3.x introduces a breaking change to how RequestIDs are handled 
>>> when validating SAML Services.
>>>
>>> *In 5.2.x (and all previous version of CAS), if the RequestID is not 
>>> present, it will gracefully fail by returning a null value:*
>>>
>>>
>>> https://github.com/apereo/cas/blob/5.2.x/support/cas-server-support-saml/src/main/java/org/apereo/cas/support/saml/authentication/principal/SamlServiceFactory.java
>>>
>>>
>>>
>>>
>>> requestId = extractRequestId(requestBody);
>>>
>>> /**
>>>  * Extract request id from the body.
>>>  *
>>>  * @param requestBody the request body
>>>  * @return the string
>>>  */
>>> private static String extractRequestId(final String requestBody) {
>>>     if (!requestBody.contains("RequestID")) {
>>>         LOGGER.debug("Request body does not contain a request id");
>>>         return null;
>>>     }
>>>
>>>     try {
>>>         final int position = requestBody.indexOf("RequestID=\"") + 
>>> CONST_REQUEST_ID_LENGTH;
>>>         final int nextPosition = requestBody.indexOf('"', position);
>>>
>>>         return requestBody.substring(position, nextPosition);
>>>     } catch (final Exception e) {
>>>         LOGGER.debug("Exception parsing RequestID from request.", e);
>>>         return null;
>>>     }
>>> }
>>>      
>>>
>>>
>>> *In 5.3.x, if the RequestID is not present it will throw a 
>>> NullPointerException:*
>>>
>>>
>>> https://github.com/apereo/cas/blob/5.3.x/support/cas-server-support-saml/src/main/java/org/apereo/cas/support/saml/authentication/principal/SamlServiceFactory.java#L63
>>>
>>>
>>>
>>>
>>>
>>>
>>> *@NonNullfinal Attribute requestIdAttribute = 
>>> requestChild.getAttribute("RequestID"); requestId = 
>>> requestIdAttribute.getValue();This change will break all versions of 
>>> apereo/mod_auth_cas (See: https://github.com/apereo/mod_auth_cas/issues/148 
>>> <https://github.com/apereo/mod_auth_cas/issues/148>) along with any other 
>>> client that does not properly implement support for the RequestID 
>>> parameter.*
>>>
>>> This change should be reverted (this is as simple as removing the 
>>> @NonNull Lombok annotation so the request will failback to a null 
>>> response). Breaking every install of mod_auth_cas along with other legacy 
>>> clients cannot be considered acceptable.
>>>
>>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c79de959-8ca3-498f-b27d-0ac9536b3326%40apereo.org.

Reply via email to