Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-13506

[GSS](7.0.z) The fix for CVE-2017-2582 breaks the feature of attribute replacement with system property in picketlink.xml

XMLWordPrintable

      Picketlink/EAP 7.0.7 is passing the values as a system property but after an update to 7.0.8, variables aren't resolved anymore at picketlink startup.

      <PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
              <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1"
                      BindingType="POST"
                      LogOutPage="/myLogoutPage"
                      IDPUsesPostBinding="true"
                      SupportsSignatures="true">
      
                      <IdentityURL>${plink.IDPurl}</IdentityURL>
                      <ServiceURL>${plink.SPurl}</ServiceURL>
      ...
      

      in standalone.xml we defined the system properties:

      <system-properties>
      ...
            <property name="plink.IDPurl" value="https://www.myidp.com"/>
            <property name="plink.SPurl" value="https://mysp.com/"/>
      ...
      

      Error Snippet:

      2017-10-10 15:34:12,930 ERROR [org.picketlink.common] (ServerService Thread Pool -- 64) Exception creating TrustKeyManager:: java.net.MalformedURLException: no protocol: ${plink.IDPurl}
      

      The fix for Bug 1410481 - (CVE-2017-2582) CVE-2017-2582 picketlink, keycloak: SAML request parser replaces special strings with system properties is the cause of the issue.

            istudens@redhat.com Ivo Studensky
            rhn-support-hokuda Hisanobu Okuda
            Votes:
            0 Vote for this issue
            Watchers:
            12 Start watching this issue

              Created:
              Updated:
              Resolved: