[jira] [Commented] (WICKET-6253) Redirect url parameters decoded
[
https://issues.apache.org/jira/browse/WICKET-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15613342#comment-15613342
]
Martin Grigorov commented on WICKET-6253:
-
Another solution: use
org.apache.wicket.request.flow.RedirectToUrlException#RedirectToUrlException(java.lang.String,
int) with status code 303 or 307.
This way Wicket will use "setHeader("Location", "...") instead of
#sendRedirect() that leads to the problem.
> Redirect url parameters decoded
> ---
>
> Key: WICKET-6253
> URL: https://issues.apache.org/jira/browse/WICKET-6253
> Project: Wicket
> Issue Type: Bug
> Components: wicket
>Affects Versions: 6.16.0
>Reporter: Viktor Durica
> Labels: encode, parameters, redirect, saml, servlet
> Attachments: wicket6253.zip
>
>
> When redirecting to an external url using RedirectToUrlException,
> org.apache.wicket.protocol.http.servlet.ServletWebResponse.encodeRedirectURL()
> changes the location. Decodes the parameters but encode does not give the
> same result.
> SAMLv2 (opensaml) generates authentication request and signs it, IDP fails to
> validate signature as parameters have changed. Example:
> http://example.host/sso/login/redirect?SAMLRequest=XYZ&RelayState=%2Fcomeback%2Fhere&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=XYZ
> ServletWebResponse .encodeRedirectURL() changes it to:
> http://example.host/sso/login/redirect?SAMLRequest=XYZ&RelayState=/comeback/here&SigAlg=http://www.w3.org/2000/09/xmldsig#rsa-sha1&Signature=XYZ
> diff where change was created:
> http://grepcode.com/file_/repo1.maven.org/maven2/org.apache.wicket/wicket-core/6.16.0/org/apache/wicket/protocol/http/servlet/ServletWebResponse.java/?v=diff&id2=6.15.0
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (WICKET-6253) Redirect url parameters decoded
[
https://issues.apache.org/jira/browse/WICKET-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15578619#comment-15578619
]
Martin Grigorov commented on WICKET-6253:
-
The problem is introduced with
https://issues.apache.org/jira/browse/WICKET-5582.
The fix is as easy as:
{code}
diff --git
i/wicket-util/src/main/java/org/apache/wicket/util/encoding/UrlEncoder.java
w/wicket-util/src/main/java/org/apache/wicket/util/encoding/UrlEncoder.java
index 61e57a6..6f7947c 100644
--- i/wicket-util/src/main/java/org/apache/wicket/util/encoding/UrlEncoder.java
+++ w/wicket-util/src/main/java/org/apache/wicket/util/encoding/UrlEncoder.java
@@ -191,7 +191,7 @@ public class UrlEncoder
// encoding a space to a + is done in the
encode() method
dontNeedEncoding.set(' ');
// to allow direct passing of URL in query
- dontNeedEncoding.set('/');
+// dontNeedEncoding.set('/');
{code}
but as you can see the comment says "to allow direct passing of URL in query".
So some applications expect non-encoded / in the query string, others - encoded.
Wicket doesn't encode '/' in the query string since many years.
Tomcat also doesn't do anything with the slashes when encoding the url produced
by Wicket.
The only workaround I see for you is to roll your own RedirectToUrlException
that uses directly HttpServletResponse to make the redirect, bypassing Wicket's
ServletWebResponse.
> Redirect url parameters decoded
> ---
>
> Key: WICKET-6253
> URL: https://issues.apache.org/jira/browse/WICKET-6253
> Project: Wicket
> Issue Type: Bug
> Components: wicket
>Affects Versions: 6.16.0
>Reporter: Viktor Durica
> Labels: encode, parameters, redirect, saml, servlet
> Attachments: wicket6253.zip
>
>
> When redirecting to an external url using RedirectToUrlException,
> org.apache.wicket.protocol.http.servlet.ServletWebResponse.encodeRedirectURL()
> changes the location. Decodes the parameters but encode does not give the
> same result.
> SAMLv2 (opensaml) generates authentication request and signs it, IDP fails to
> validate signature as parameters have changed. Example:
> http://example.host/sso/login/redirect?SAMLRequest=XYZ&RelayState=%2Fcomeback%2Fhere&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=XYZ
> ServletWebResponse .encodeRedirectURL() changes it to:
> http://example.host/sso/login/redirect?SAMLRequest=XYZ&RelayState=/comeback/here&SigAlg=http://www.w3.org/2000/09/xmldsig#rsa-sha1&Signature=XYZ
> diff where change was created:
> http://grepcode.com/file_/repo1.maven.org/maven2/org.apache.wicket/wicket-core/6.16.0/org/apache/wicket/protocol/http/servlet/ServletWebResponse.java/?v=diff&id2=6.15.0
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (WICKET-6253) Redirect url parameters decoded
[ https://issues.apache.org/jira/browse/WICKET-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15547938#comment-15547938 ] Viktor Durica commented on WICKET-6253: --- quickstart app attached > Redirect url parameters decoded > --- > > Key: WICKET-6253 > URL: https://issues.apache.org/jira/browse/WICKET-6253 > Project: Wicket > Issue Type: Bug > Components: wicket >Affects Versions: 6.16.0 >Reporter: Viktor Durica > Labels: encode, parameters, redirect, saml, servlet > Attachments: wicket6253.zip > > > When redirecting to an external url using RedirectToUrlException, > org.apache.wicket.protocol.http.servlet.ServletWebResponse.encodeRedirectURL() > changes the location. Decodes the parameters but encode does not give the > same result. > SAMLv2 (opensaml) generates authentication request and signs it, IDP fails to > validate signature as parameters have changed. Example: > http://example.host/sso/login/redirect?SAMLRequest=XYZ&RelayState=%2Fcomeback%2Fhere&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=XYZ > ServletWebResponse .encodeRedirectURL() changes it to: > http://example.host/sso/login/redirect?SAMLRequest=XYZ&RelayState=/comeback/here&SigAlg=http://www.w3.org/2000/09/xmldsig#rsa-sha1&Signature=XYZ > diff where change was created: > http://grepcode.com/file_/repo1.maven.org/maven2/org.apache.wicket/wicket-core/6.16.0/org/apache/wicket/protocol/http/servlet/ServletWebResponse.java/?v=diff&id2=6.15.0 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (WICKET-6253) Redirect url parameters decoded
[
https://issues.apache.org/jira/browse/WICKET-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15545580#comment-15545580
]
Viktor Durica commented on WICKET-6253:
---
wildfly 8.0, tomcat 7 - but not server dependent.
to reproduce throw anywhere a
RedirectToUrlException("http://example.host/sso/login/redirect?SAMLRequest=XYZ&RelayState=%2Fcomeback%2Fhere&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=XYZ";)
and check the url in browser, parameters will be decoded from wicket version
6.16
will add quickstart app soon.
> Redirect url parameters decoded
> ---
>
> Key: WICKET-6253
> URL: https://issues.apache.org/jira/browse/WICKET-6253
> Project: Wicket
> Issue Type: Bug
> Components: wicket
>Affects Versions: 6.16.0
>Reporter: Viktor Durica
> Labels: encode, parameters, redirect, saml, servlet
>
> When redirecting to an external url using RedirectToUrlException,
> org.apache.wicket.protocol.http.servlet.ServletWebResponse.encodeRedirectURL()
> changes the location. Decodes the parameters but encode does not give the
> same result.
> SAMLv2 (opensaml) generates authentication request and signs it, IDP fails to
> validate signature as parameters have changed. Example:
> http://example.host/sso/login/redirect?SAMLRequest=XYZ&RelayState=%2Fcomeback%2Fhere&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=XYZ
> ServletWebResponse .encodeRedirectURL() changes it to:
> http://example.host/sso/login/redirect?SAMLRequest=XYZ&RelayState=/comeback/here&SigAlg=http://www.w3.org/2000/09/xmldsig#rsa-sha1&Signature=XYZ
> diff where change was created:
> http://grepcode.com/file_/repo1.maven.org/maven2/org.apache.wicket/wicket-core/6.16.0/org/apache/wicket/protocol/http/servlet/ServletWebResponse.java/?v=diff&id2=6.15.0
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (WICKET-6253) Redirect url parameters decoded
[ https://issues.apache.org/jira/browse/WICKET-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15545564#comment-15545564 ] Martin Grigorov commented on WICKET-6253: - Can you please provide a quickstart app? Which web server do you use ? Which version ? > Redirect url parameters decoded > --- > > Key: WICKET-6253 > URL: https://issues.apache.org/jira/browse/WICKET-6253 > Project: Wicket > Issue Type: Bug > Components: wicket >Affects Versions: 6.16.0 >Reporter: Viktor Durica > Labels: encode, parameters, redirect, saml, servlet > > When redirecting to an external url using RedirectToUrlException, > org.apache.wicket.protocol.http.servlet.ServletWebResponse.encodeRedirectURL() > changes the location. Decodes the parameters but encode does not give the > same result. > SAMLv2 (opensaml) generates authentication request and signs it, IDP fails to > validate signature as parameters have changed. Example: > http://example.host/sso/login/redirect?SAMLRequest=XYZ&RelayState=%2Fcomeback%2Fhere&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=XYZ > ServletWebResponse .encodeRedirectURL() changes it to: > http://example.host/sso/login/redirect?SAMLRequest=XYZ&RelayState=/comeback/here&SigAlg=http://www.w3.org/2000/09/xmldsig#rsa-sha1&Signature=XYZ > diff where change was created: > http://grepcode.com/file_/repo1.maven.org/maven2/org.apache.wicket/wicket-core/6.16.0/org/apache/wicket/protocol/http/servlet/ServletWebResponse.java/?v=diff&id2=6.15.0 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
