CAS 5.3.x introduces a breaking change to how RequestIDs are handled when validating SAML Services.
*In 5.2.x (and all previous version of CAS), if the RequestID is not present, it will gracefully fail by returning a null value:* https://github.com/apereo/cas/blob/5.2.x/support/cas-server-support-saml/src/main/java/org/apereo/cas/support/saml/authentication/principal/SamlServiceFactory.java requestId = extractRequestId(requestBody); /** * Extract request id from the body. * * @param requestBody the request body * @return the string */ private static String extractRequestId(final String requestBody) { if (!requestBody.contains("RequestID")) { LOGGER.debug("Request body does not contain a request id"); return null; } try { final int position = requestBody.indexOf("RequestID=\"") + CONST_REQUEST_ID_LENGTH; final int nextPosition = requestBody.indexOf('"', position); return requestBody.substring(position, nextPosition); } catch (final Exception e) { LOGGER.debug("Exception parsing RequestID from request.", e); return null; } } *In 5.3.x, if the RequestID is not present it will throw a NullPointerException:* https://github.com/apereo/cas/blob/5.3.x/support/cas-server-support-saml/src/main/java/org/apereo/cas/support/saml/authentication/principal/SamlServiceFactory.java#L63 *@NonNullfinal Attribute requestIdAttribute = requestChild.getAttribute("RequestID"); requestId = requestIdAttribute.getValue();This change will break all versions of apereo/mod_auth_cas (See: https://github.com/apereo/mod_auth_cas/issues/148) along with any other client that does not properly implement support for the RequestID parameter.* This change should be reverted (this is as simple as removing the @NonNull Lombok annotation so the request will failback to a null response). Breaking every install of mod_auth_cas along with other legacy clients cannot be considered acceptable. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/bb707ba1-3a60-4cb8-beff-17997dccb514%40apereo.org.
