Martin Grigorov commented on WICKET-6253:

The problem is introduced with 
The fix is as easy as:
diff --git 
index 61e57a6..6f7947c 100644
--- i/wicket-util/src/main/java/org/apache/wicket/util/encoding/UrlEncoder.java
+++ w/wicket-util/src/main/java/org/apache/wicket/util/encoding/UrlEncoder.java
@@ -191,7 +191,7 @@ public class UrlEncoder
                                // encoding a space to a + is done in the 
encode() method
                                dontNeedEncoding.set(' ');
                                // to allow direct passing of URL in query
-                               dontNeedEncoding.set('/');
+//                             dontNeedEncoding.set('/');

but as you can see the comment says "to allow direct passing of URL in query". 
So some applications expect non-encoded / in the query string, others - encoded.
Wicket doesn't encode '/' in the query string since many years.
Tomcat also doesn't do anything with the slashes when encoding the url produced 
by Wicket.

The only workaround I see for you is to roll your own RedirectToUrlException 
that uses directly HttpServletResponse to make the redirect, bypassing Wicket's 

> Redirect url parameters decoded
> -------------------------------
>                 Key: WICKET-6253
>                 URL: https://issues.apache.org/jira/browse/WICKET-6253
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket
>    Affects Versions: 6.16.0
>            Reporter: Viktor Durica
>              Labels: encode, parameters, redirect, saml, servlet
>         Attachments: wicket6253.zip
> When redirecting to an external url using RedirectToUrlException, 
> org.apache.wicket.protocol.http.servlet.ServletWebResponse.encodeRedirectURL()
>  changes the location. Decodes the parameters but encode does not give the 
> same result.
> SAMLv2 (opensaml) generates authentication request and signs it, IDP fails to 
> validate signature as parameters have changed. Example:
> http://example.host/sso/login/redirect?SAMLRequest=XYZ&RelayState=%2Fcomeback%2Fhere&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=XYZ
> ServletWebResponse .encodeRedirectURL() changes it to:
> http://example.host/sso/login/redirect?SAMLRequest=XYZ&RelayState=/comeback/here&SigAlg=http://www.w3.org/2000/09/xmldsig#rsa-sha1&Signature=XYZ
> diff where change was created:
> http://grepcode.com/file_/repo1.maven.org/maven2/org.apache.wicket/wicket-core/6.16.0/org/apache/wicket/protocol/http/servlet/ServletWebResponse.java/?v=diff&id2=6.15.0

This message was sent by Atlassian JIRA

Reply via email to