[jira] [Work logged] (KNOX-3232) Handle pac4j cookies with "null" value
[
https://issues.apache.org/jira/browse/KNOX-3232?focusedWorklogId=996480&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-996480
]
ASF GitHub Bot logged work on KNOX-3232:
Author: ASF GitHub Bot
Created on: 16/Dec/25 14:22
Start Date: 16/Dec/25 14:22
Worklog Time Spent: 10m
Work Description: bonampak merged PR #1132:
URL: https://github.com/apache/knox/pull/1132
Issue Time Tracking
---
Worklog Id: (was: 996480)
Time Spent: 40m (was: 0.5h)
> Handle pac4j cookies with "null" value
> --
>
> Key: KNOX-3232
> URL: https://issues.apache.org/jira/browse/KNOX-3232
> Project: Apache Knox
> Issue Type: Task
> Components: KnoxSSO
>Affects Versions: 3.0.0
>Reporter: Tamás Marcinkovics
>Assignee: Tamás Marcinkovics
>Priority: Major
> Attachments: knoxsso-cas-test.xml
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> When testing Knox SSO with Pac4j and CAS, if the user clicks on global
> logout, and does not close the browser, refreshing the homepage link results
> in a 500 internal server error due to KnoxSessionStore not being able to get
> the value of CasClient$attemptedAuthentication cookie.
> When pac4j calls the
> KnoxSessionStore.set() method with null value, we will add a
> Set-Cookie-Header with "null" value instead of empty.
> setCookieHeader = new SetCookieHeader(PAC4J_SESSION_PREFIX + key, null);
> When KnoxSessionStore.get() is called, it tries to uncompress the non-empty
> value and fails with a BufferUnderflowException.
>
> To test, replace the conf/knoxsso.xml with the contents of the attached
> knoxsso-cas-test.xml and set global logout in gateway-site.xml by setting the
> properties
> {noformat}
>
> knox.homepage.logout.enabled
> true
>
>
> knox.global.logout.page.url
> https://casserverpac4j.herokuapp.com/logout
>
> {noformat}
>
> Then log in to CAS using the same username and password, then in the knox
> homepage press the logout and global logout link afterwards.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3232) Handle pac4j cookies with "null" value
[
https://issues.apache.org/jira/browse/KNOX-3232?focusedWorklogId=996417&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-996417
]
ASF GitHub Bot logged work on KNOX-3232:
Author: ASF GitHub Bot
Created on: 16/Dec/25 10:05
Start Date: 16/Dec/25 10:05
Worklog Time Spent: 10m
Work Description: bonampak commented on PR #1132:
URL: https://github.com/apache/knox/pull/1132#issuecomment-3659745732
> So as I understand the culprit behind the "null" value is
`sb.append('=').append(value);` in SetCookieHeader, right? Wouldn't it be
better to fix that by appending an empty value? Also the SetCookieHeader class
was [introduced](https://github.com/apache/knox/pull/1042) because with java 8
the sameSite attribute was missing from `org.pac4j.core.context.Cookie`. Is
switching back an option?
We could switch back as now setSameSitePolicy() is available on
org.pac4j.core.context.Cookie.
It would still generate name=null; if the cookie value is null.
```java
Cookie cookie;
if (value == null) {
cookie = new Cookie(PAC4J_SESSION_PREFIX + key, null);
}
...
if(sessionStoreConfigs != null &&
sessionStoreConfigs.containsKey(PAC4J_COOKIE_SAMESITE)) {
cookie.setSameSitePolicy(sessionStoreConfigs.get(PAC4J_COOKIE_SAMESITE));
}
context.addResponseCookie(cookie);
```
https://github.com/pac4j/pac4j/blob/pac4j-parent-6.3.0/pac4j-javaee/src/main/java/org/pac4j/jee/context/JEEContext.java#L217
https://github.com/pac4j/pac4j/blob/pac4j-parent-6.3.0/pac4j-core/src/main/java/org/pac4j/core/context/WebContextHelper.java#L147
```java
public static String createCookieHeader(Cookie cookie) {
var builder = new StringBuilder();
builder.append(String.format("%s=%s;", cookie.getName(),
cookie.getValue()));
```
For now, I would keep it as it is, and create another issue to switch back
to `org.pac4j.core.context.Cookie` later (and set cookie value to empty string
instead of null).
Issue Time Tracking
---
Worklog Id: (was: 996417)
Time Spent: 0.5h (was: 20m)
> Handle pac4j cookies with "null" value
> --
>
> Key: KNOX-3232
> URL: https://issues.apache.org/jira/browse/KNOX-3232
> Project: Apache Knox
> Issue Type: Task
> Components: KnoxSSO
>Affects Versions: 3.0.0
>Reporter: Tamás Marcinkovics
>Assignee: Tamás Marcinkovics
>Priority: Major
> Attachments: knoxsso-cas-test.xml
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> When testing Knox SSO with Pac4j and CAS, if the user clicks on global
> logout, and does not close the browser, refreshing the homepage link results
> in a 500 internal server error due to KnoxSessionStore not being able to get
> the value of CasClient$attemptedAuthentication cookie.
> When pac4j calls the
> KnoxSessionStore.set() method with null value, we will add a
> Set-Cookie-Header with "null" value instead of empty.
> setCookieHeader = new SetCookieHeader(PAC4J_SESSION_PREFIX + key, null);
> When KnoxSessionStore.get() is called, it tries to uncompress the non-empty
> value and fails with a BufferUnderflowException.
>
> To test, replace the conf/knoxsso.xml with the contents of the attached
> knoxsso-cas-test.xml and set global logout in gateway-site.xml by setting the
> properties
> {noformat}
>
> knox.homepage.logout.enabled
> true
>
>
> knox.global.logout.page.url
> https://casserverpac4j.herokuapp.com/logout
>
> {noformat}
>
> Then log in to CAS using the same username and password, then in the knox
> homepage press the logout and global logout link afterwards.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3232) Handle pac4j cookies with "null" value
[
https://issues.apache.org/jira/browse/KNOX-3232?focusedWorklogId=996224&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-996224
]
ASF GitHub Bot logged work on KNOX-3232:
Author: ASF GitHub Bot
Created on: 15/Dec/25 13:59
Start Date: 15/Dec/25 13:59
Worklog Time Spent: 10m
Work Description: github-actions[bot] commented on PR #1132:
URL: https://github.com/apache/knox/pull/1132#issuecomment-3655792287
## Test Results
7 tests 7 ✅ 1s ⏱️
1 suites 0 💤
1 files 0 ❌
Results for commit c7fa377a.
[test-results]:data:application/gzip;base64,H4sIAFYUQGkC/1WMSQ7DIBAEv2JxzsEE4SH5TESAkUZeiFhOVv4e7HjBt65qqWaGNLjIng2/NSxmSgfYHHQiP21YjrRcsO9XzMZcRU+fItpDoKbhIlwIPmwm5GnvLbPO/fmsrVzFVq5bxo8jpQLMAGoBoF3HlRUShLu/rULFZau5k4AohX1gx74/TtOK//s=
Issue Time Tracking
---
Worklog Id: (was: 996224)
Time Spent: 20m (was: 10m)
> Handle pac4j cookies with "null" value
> --
>
> Key: KNOX-3232
> URL: https://issues.apache.org/jira/browse/KNOX-3232
> Project: Apache Knox
> Issue Type: Task
> Components: KnoxSSO
>Affects Versions: 3.0.0
>Reporter: Tamás Marcinkovics
>Assignee: Tamás Marcinkovics
>Priority: Major
> Attachments: knoxsso-cas-test.xml
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> When testing Knox SSO with Pac4j and CAS, if the user clicks on global
> logout, and does not close the browser, refreshing the homepage link results
> in a 500 internal server error due to KnoxSessionStore not being able to get
> the value of CasClient$attemptedAuthentication cookie.
> When pac4j calls the
> KnoxSessionStore.set() method with null value, we will add a
> Set-Cookie-Header with "null" value instead of empty.
> setCookieHeader = new SetCookieHeader(PAC4J_SESSION_PREFIX + key, null);
> When KnoxSessionStore.get() is called, it tries to uncompress the non-empty
> value and fails with a BufferUnderflowException.
>
> To test, replace the conf/knoxsso.xml with the contents of the attached
> knoxsso-cas-test.xml and set global logout in gateway-site.xml by setting the
> properties
> {noformat}
>
> knox.homepage.logout.enabled
> true
>
>
> knox.global.logout.page.url
> https://casserverpac4j.herokuapp.com/logout
>
> {noformat}
>
> Then log in to CAS using the same username and password, then in the knox
> homepage press the logout and global logout link afterwards.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3232) Handle pac4j cookies with "null" value
[
https://issues.apache.org/jira/browse/KNOX-3232?focusedWorklogId=996213&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-996213
]
ASF GitHub Bot logged work on KNOX-3232:
Author: ASF GitHub Bot
Created on: 15/Dec/25 13:35
Start Date: 15/Dec/25 13:35
Worklog Time Spent: 10m
Work Description: bonampak opened a new pull request, #1132:
URL: https://github.com/apache/knox/pull/1132
(It is very **important** that you created an Apache Knox JIRA for this
change and that the PR title/commit message includes the Apache Knox JIRA ID!)
[KNOX-1234](https://issues.apache.org/jira/browse/KNOX-3232) - Handle pac4j
cookies with "null" value
## What changes were proposed in this pull request?
Just handle the case when our set-cookie header is setting explicit null
values and KnoxSessionStore receives the cookie with "null" value.
## How was this patch tested?
Manual test with CAS global logout url as described in the JIRA.
Added a unit test in KnoxSessionStoreTests.
Issue Time Tracking
---
Worklog Id: (was: 996213)
Remaining Estimate: 0h
Time Spent: 10m
> Handle pac4j cookies with "null" value
> --
>
> Key: KNOX-3232
> URL: https://issues.apache.org/jira/browse/KNOX-3232
> Project: Apache Knox
> Issue Type: Task
> Components: KnoxSSO
>Affects Versions: 3.0.0
>Reporter: Tamás Marcinkovics
>Assignee: Tamás Marcinkovics
>Priority: Major
> Attachments: knoxsso-cas-test.xml
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> When testing Knox SSO with Pac4j and CAS, if the user clicks on global
> logout, and does not close the browser, refreshing the homepage link results
> in a 500 internal server error due to KnoxSessionStore not being able to get
> the value of CasClient$attemptedAuthentication cookie.
> When pac4j calls the
> KnoxSessionStore.set() method with null value, we will add a
> Set-Cookie-Header with "null" value instead of empty.
> setCookieHeader = new SetCookieHeader(PAC4J_SESSION_PREFIX + key, null);
> When KnoxSessionStore.get() is called, it tries to uncompress the non-empty
> value and fails with a BufferUnderflowException.
>
> To test, replace the conf/knoxsso.xml with the contents of the attached
> knoxsso-cas-test.xml and set global logout in gateway-site.xml by setting the
> properties
> {noformat}
>
> knox.homepage.logout.enabled
> true
>
>
> knox.global.logout.page.url
> https://casserverpac4j.herokuapp.com/logout
>
> {noformat}
>
> Then log in to CAS using the same username and password, then in the knox
> homepage press the logout and global logout link afterwards.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
