You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "Viktor Durica (JIRA)" <ji...@apache.org> on 2016/10/05 07:25:20 UTC

[jira] [Updated] (WICKET-6253) Redirect url parameters decoded

     [ https://issues.apache.org/jira/browse/WICKET-6253?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Viktor Durica updated WICKET-6253:
----------------------------------
    Attachment: wicket6253.zip

> Redirect url parameters decoded
> -------------------------------
>
>                 Key: WICKET-6253
>                 URL: https://issues.apache.org/jira/browse/WICKET-6253
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket
>    Affects Versions: 6.16.0
>            Reporter: Viktor Durica
>              Labels: encode, parameters, redirect, saml, servlet
>         Attachments: wicket6253.zip
>
>
> When redirecting to an external url using RedirectToUrlException, org.apache.wicket.protocol.http.servlet.ServletWebResponse.encodeRedirectURL() changes the location. Decodes the parameters but encode does not give the same result.
> SAMLv2 (opensaml) generates authentication request and signs it, IDP fails to validate signature as parameters have changed. Example:
> http://example.host/sso/login/redirect?SAMLRequest=XYZ&RelayState=%2Fcomeback%2Fhere&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=XYZ
> ServletWebResponse .encodeRedirectURL() changes it to:
> http://example.host/sso/login/redirect?SAMLRequest=XYZ&RelayState=/comeback/here&SigAlg=http://www.w3.org/2000/09/xmldsig#rsa-sha1&Signature=XYZ
> diff where change was created:
> http://grepcode.com/file_/repo1.maven.org/maven2/org.apache.wicket/wicket-core/6.16.0/org/apache/wicket/protocol/http/servlet/ServletWebResponse.java/?v=diff&id2=6.15.0



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)