[
https://issues.apache.org/jira/browse/CXF-6579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14733450#comment-14733450
]
Sergey Beryozkin commented on CXF-6579:
---------------------------------------
FYI, you'd set this property in jaxrs:server/jaxrs:properties. Or in an early
CXF in interceptor if there can be a situation where different clients use
different ratio levels.
At this stage I think we should get this issue resolved given that it is known
that a token is deflated with the default deflate level in a number of
practical and interop cases (the latter verified by Colm against many IDPs).
Defaulting to '0' without users bothering with setting a property can
definitely be done too once we have a bit more assurance it won't affect the
existing clients targeting CXF SAML SP code.
> Inflated tokens can be corrupted if compression ratio is greater than 2:1
> -------------------------------------------------------------------------
>
> Key: CXF-6579
> URL: https://issues.apache.org/jira/browse/CXF-6579
> Project: CXF
> Issue Type: Bug
> Components: Core, JAX-RS Security
> Affects Versions: 3.0.6, 2.7.17, 3.1.2
> Reporter: Phillip Klinefelter
> Assignee: Sergey Beryozkin
> Priority: Critical
>
> DeflateEncoderDecoder/CompressionUtils inflate method assumes that the
> compression ratio will be 2:1. That assumption is not true for SAML tokens
> with many similar attribute statements. The inflated token will be corrupted
> with a portion of the token replaced with null characters.
> https://github.com/apache/cxf/blob/cxf-2.7.17/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/DeflateEncoderDecoder.java#L34
> https://github.com/apache/cxf/blob/cxf-3.0.6/core/src/main/java/org/apache/cxf/common/util/CompressionUtils.java#L41
> https://github.com/apache/cxf/blob/cxf-3.1.2/core/src/main/java/org/apache/cxf/common/util/CompressionUtils.java#L41
> {code}
> @Test
> public void testInflateDeflateWithTokenDuplication() throws Exception {
> String token = "valid_grant valid_grant valid_grant valid_grant
> valid_grant valid_grant";
> DeflateEncoderDecoder deflateEncoderDecoder = new
> DeflateEncoderDecoder();
> byte[] deflatedToken =
> deflateEncoderDecoder.deflateToken(token.getBytes());
> String cxfInflatedToken = IOUtils
> .toString(deflateEncoderDecoder.inflateToken(deflatedToken));
> String streamInflatedToken = IOUtils.toString(
> new InflaterInputStream(new
> ByteArrayInputStream(deflatedToken),
> new Inflater(true)));
> assertThat(streamInflatedToken, is(token));
> assertThat(cxfInflatedToken, is(token));
> }
> {code}
> The stream inflated token is correct but the CXF inflated token is invalid.
> {code}
> java.lang.AssertionError:
> Expected: is "valid_grant valid_grant valid_grant valid_grant valid_grant
> valid_grant"
> got: "t valid_grant valid_grant valid_grant"
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
