[jira] [Commented] (WICKET-6253) Redirect url parameters decoded
[ https://issues.apache.org/jira/browse/WICKET-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15613342#comment-15613342 ] Martin Grigorov commented on WICKET-6253: - Another solution: use org.apache.wicket.request.flow.RedirectToUrlException#RedirectToUrlException(java.lang.String, int) with status code 303 or 307. This way Wicket will use "setHeader("Location", "...") instead of #sendRedirect() that leads to the problem. > Redirect url parameters decoded > --- > > Key: WICKET-6253 > URL: https://issues.apache.org/jira/browse/WICKET-6253 > Project: Wicket > Issue Type: Bug > Components: wicket >Affects Versions: 6.16.0 >Reporter: Viktor Durica > Labels: encode, parameters, redirect, saml, servlet > Attachments: wicket6253.zip > > > When redirecting to an external url using RedirectToUrlException, > org.apache.wicket.protocol.http.servlet.ServletWebResponse.encodeRedirectURL() > changes the location. Decodes the parameters but encode does not give the > same result. > SAMLv2 (opensaml) generates authentication request and signs it, IDP fails to > validate signature as parameters have changed. Example: > http://example.host/sso/login/redirect?SAMLRequest=XYZ&RelayState=%2Fcomeback%2Fhere&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=XYZ > ServletWebResponse .encodeRedirectURL() changes it to: > http://example.host/sso/login/redirect?SAMLRequest=XYZ&RelayState=/comeback/here&SigAlg=http://www.w3.org/2000/09/xmldsig#rsa-sha1&Signature=XYZ > diff where change was created: > http://grepcode.com/file_/repo1.maven.org/maven2/org.apache.wicket/wicket-core/6.16.0/org/apache/wicket/protocol/http/servlet/ServletWebResponse.java/?v=diff&id2=6.15.0 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WICKET-6253) Redirect url parameters decoded
[ https://issues.apache.org/jira/browse/WICKET-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15578619#comment-15578619 ] Martin Grigorov commented on WICKET-6253: - The problem is introduced with https://issues.apache.org/jira/browse/WICKET-5582. The fix is as easy as: {code} diff --git i/wicket-util/src/main/java/org/apache/wicket/util/encoding/UrlEncoder.java w/wicket-util/src/main/java/org/apache/wicket/util/encoding/UrlEncoder.java index 61e57a6..6f7947c 100644 --- i/wicket-util/src/main/java/org/apache/wicket/util/encoding/UrlEncoder.java +++ w/wicket-util/src/main/java/org/apache/wicket/util/encoding/UrlEncoder.java @@ -191,7 +191,7 @@ public class UrlEncoder // encoding a space to a + is done in the encode() method dontNeedEncoding.set(' '); // to allow direct passing of URL in query - dontNeedEncoding.set('/'); +// dontNeedEncoding.set('/'); {code} but as you can see the comment says "to allow direct passing of URL in query". So some applications expect non-encoded / in the query string, others - encoded. Wicket doesn't encode '/' in the query string since many years. Tomcat also doesn't do anything with the slashes when encoding the url produced by Wicket. The only workaround I see for you is to roll your own RedirectToUrlException that uses directly HttpServletResponse to make the redirect, bypassing Wicket's ServletWebResponse. > Redirect url parameters decoded > --- > > Key: WICKET-6253 > URL: https://issues.apache.org/jira/browse/WICKET-6253 > Project: Wicket > Issue Type: Bug > Components: wicket >Affects Versions: 6.16.0 >Reporter: Viktor Durica > Labels: encode, parameters, redirect, saml, servlet > Attachments: wicket6253.zip > > > When redirecting to an external url using RedirectToUrlException, > org.apache.wicket.protocol.http.servlet.ServletWebResponse.encodeRedirectURL() > changes the location. Decodes the parameters but encode does not give the > same result. > SAMLv2 (opensaml) generates authentication request and signs it, IDP fails to > validate signature as parameters have changed. Example: > http://example.host/sso/login/redirect?SAMLRequest=XYZ&RelayState=%2Fcomeback%2Fhere&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=XYZ > ServletWebResponse .encodeRedirectURL() changes it to: > http://example.host/sso/login/redirect?SAMLRequest=XYZ&RelayState=/comeback/here&SigAlg=http://www.w3.org/2000/09/xmldsig#rsa-sha1&Signature=XYZ > diff where change was created: > http://grepcode.com/file_/repo1.maven.org/maven2/org.apache.wicket/wicket-core/6.16.0/org/apache/wicket/protocol/http/servlet/ServletWebResponse.java/?v=diff&id2=6.15.0 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WICKET-6253) Redirect url parameters decoded
[ https://issues.apache.org/jira/browse/WICKET-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15547938#comment-15547938 ] Viktor Durica commented on WICKET-6253: --- quickstart app attached > Redirect url parameters decoded > --- > > Key: WICKET-6253 > URL: https://issues.apache.org/jira/browse/WICKET-6253 > Project: Wicket > Issue Type: Bug > Components: wicket >Affects Versions: 6.16.0 >Reporter: Viktor Durica > Labels: encode, parameters, redirect, saml, servlet > Attachments: wicket6253.zip > > > When redirecting to an external url using RedirectToUrlException, > org.apache.wicket.protocol.http.servlet.ServletWebResponse.encodeRedirectURL() > changes the location. Decodes the parameters but encode does not give the > same result. > SAMLv2 (opensaml) generates authentication request and signs it, IDP fails to > validate signature as parameters have changed. Example: > http://example.host/sso/login/redirect?SAMLRequest=XYZ&RelayState=%2Fcomeback%2Fhere&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=XYZ > ServletWebResponse .encodeRedirectURL() changes it to: > http://example.host/sso/login/redirect?SAMLRequest=XYZ&RelayState=/comeback/here&SigAlg=http://www.w3.org/2000/09/xmldsig#rsa-sha1&Signature=XYZ > diff where change was created: > http://grepcode.com/file_/repo1.maven.org/maven2/org.apache.wicket/wicket-core/6.16.0/org/apache/wicket/protocol/http/servlet/ServletWebResponse.java/?v=diff&id2=6.15.0 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WICKET-6253) Redirect url parameters decoded
[ https://issues.apache.org/jira/browse/WICKET-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15545580#comment-15545580 ] Viktor Durica commented on WICKET-6253: --- wildfly 8.0, tomcat 7 - but not server dependent. to reproduce throw anywhere a RedirectToUrlException("http://example.host/sso/login/redirect?SAMLRequest=XYZ&RelayState=%2Fcomeback%2Fhere&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=XYZ";) and check the url in browser, parameters will be decoded from wicket version 6.16 will add quickstart app soon. > Redirect url parameters decoded > --- > > Key: WICKET-6253 > URL: https://issues.apache.org/jira/browse/WICKET-6253 > Project: Wicket > Issue Type: Bug > Components: wicket >Affects Versions: 6.16.0 >Reporter: Viktor Durica > Labels: encode, parameters, redirect, saml, servlet > > When redirecting to an external url using RedirectToUrlException, > org.apache.wicket.protocol.http.servlet.ServletWebResponse.encodeRedirectURL() > changes the location. Decodes the parameters but encode does not give the > same result. > SAMLv2 (opensaml) generates authentication request and signs it, IDP fails to > validate signature as parameters have changed. Example: > http://example.host/sso/login/redirect?SAMLRequest=XYZ&RelayState=%2Fcomeback%2Fhere&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=XYZ > ServletWebResponse .encodeRedirectURL() changes it to: > http://example.host/sso/login/redirect?SAMLRequest=XYZ&RelayState=/comeback/here&SigAlg=http://www.w3.org/2000/09/xmldsig#rsa-sha1&Signature=XYZ > diff where change was created: > http://grepcode.com/file_/repo1.maven.org/maven2/org.apache.wicket/wicket-core/6.16.0/org/apache/wicket/protocol/http/servlet/ServletWebResponse.java/?v=diff&id2=6.15.0 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WICKET-6253) Redirect url parameters decoded
[ https://issues.apache.org/jira/browse/WICKET-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15545564#comment-15545564 ] Martin Grigorov commented on WICKET-6253: - Can you please provide a quickstart app? Which web server do you use ? Which version ? > Redirect url parameters decoded > --- > > Key: WICKET-6253 > URL: https://issues.apache.org/jira/browse/WICKET-6253 > Project: Wicket > Issue Type: Bug > Components: wicket >Affects Versions: 6.16.0 >Reporter: Viktor Durica > Labels: encode, parameters, redirect, saml, servlet > > When redirecting to an external url using RedirectToUrlException, > org.apache.wicket.protocol.http.servlet.ServletWebResponse.encodeRedirectURL() > changes the location. Decodes the parameters but encode does not give the > same result. > SAMLv2 (opensaml) generates authentication request and signs it, IDP fails to > validate signature as parameters have changed. Example: > http://example.host/sso/login/redirect?SAMLRequest=XYZ&RelayState=%2Fcomeback%2Fhere&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=XYZ > ServletWebResponse .encodeRedirectURL() changes it to: > http://example.host/sso/login/redirect?SAMLRequest=XYZ&RelayState=/comeback/here&SigAlg=http://www.w3.org/2000/09/xmldsig#rsa-sha1&Signature=XYZ > diff where change was created: > http://grepcode.com/file_/repo1.maven.org/maven2/org.apache.wicket/wicket-core/6.16.0/org/apache/wicket/protocol/http/servlet/ServletWebResponse.java/?v=diff&id2=6.15.0 -- This message was sent by Atlassian JIRA (v6.3.4#6332)