Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 7.4.20.GA, 7.4.20.CR1
Affects Version/s: None
Component/s: Security
Labels:
- upstream-not-applicable

Blocked:
False
Blocked Reason:
None
Ready:
False
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
QE Test Coverage:
?
Target Release:

7.4.z.GA
Git Pull Request:
https://github.com/jbossas/redhat-picketlink-bindings/pull/73
Intelligence Requested:
Market:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

A customer is complaining that some EAP 7.4.18 responses are providing a bad and invalid Content-Encoding header value of UTF-8 and this is raising flags in their security audit. With byteman tracing, I identified and confirmed the source of the header value and it is being set here by the picketlink UndertowRedirectionHandler :

09:06:05,980 INFO  [stdout] (default task-18) --------------------------->HeaderMap.put Content-Encoding UTF-8
09:06:05,980 INFO  [stdout] (default task-18) io.undertow.util.HeaderMap.put(HeaderMap.java:746)
09:06:05,980 INFO  [stdout] (default task-18) org.picketlink.identity.federation.bindings.wildfly.sp.UndertowRedirectionHandler.commonForPost(UndertowRedirectionHandler.java:122)
09:06:05,980 INFO  [stdout] (default task-18) org.picketlink.identity.federation.bindings.wildfly.sp.UndertowRedirectionHandler.sendPost(UndertowRedirectionHandler.java:63)
09:06:05,980 INFO  [stdout] (default task-18) org.picketlink.identity.federation.core.saml.workflow.ServiceProviderSAMLWorkflow.sendHttpPostBindingRequest(ServiceProviderSAMLWorkflow.java:207)
09:06:05,980 INFO  [stdout] (default task-18) org.picketlink.identity.federation.core.saml.workflow.ServiceProviderSAMLWorkflow.sendRequestToIDP(ServiceProviderSAMLWorkflow.java:140)
09:06:05,980 INFO  [stdout] (default task-18) org.picketlink.identity.federation.bindings.wildfly.sp.SPFormAuthenticationMechanism.generalUserRequest(SPFormAuthenticationMechanism.java:605)
09:06:05,980 INFO  [stdout] (default task-18) org.picketlink.identity.federation.bindings.wildfly.sp.SPFormAuthenticationMechanism.sendChallenge(SPFormAuthenticationMechanism.java:259)
09:06:05,980 INFO  [stdout] (default task-18) io.undertow.security.impl.SecurityContextImpl$ChallengeSender.transition(SecurityContextImpl.java:301)
09:06:05,980 INFO  [stdout] (default task-18) io.undertow.security.impl.SecurityContextImpl$ChallengeSender.transition(SecurityContextImpl.java:319)
09:06:05,980 INFO  [stdout] (default task-18) io.undertow.security.impl.SecurityContextImpl$ChallengeSender.access$300(SecurityContextImpl.java:284)
09:06:05,980 INFO  [stdout] (default task-18) io.undertow.security.impl.SecurityContextImpl.sendChallenges(SecurityContextImpl.java:130)
09:06:05,980 INFO  [stdout] (default task-18) io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:102)
09:06:05,980 INFO  [stdout] (default task-18) io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:107)
09:06:05,980 INFO  [stdout] (default task-18) io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:92)
09:06:05,980 INFO  [stdout] (default task-18) io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)

Can that be removed? Or should that have been setting a UTF-8 value to a Content-Type header instead of Content-Encoding?

is incorporated by

JBEAP-28270 (7.4.z) Upgrade PicketLink bindings from 2.5.5.SP12-redhat-00016 to 2.5.5.SP12-redhat-00017

Resolved

Assignee:: Ilia Vassilev

Reporter:: Ilia Vassilev

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2024/10/15 1:59 PM

Updated:: 2024/11/01 6:15 AM

Resolved:: 2024/10/15 3:48 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates