-
Bug
-
Resolution: Done
-
Critical
-
None
-
False
-
None
-
False
-
-
-
-
-
-
?
-
-
A customer is complaining that some EAP 7.4.18 responses are providing a bad and invalid Content-Encoding header value of UTF-8 and this is raising flags in their security audit. With byteman tracing, I identified and confirmed the source of the header value and it is being set here by the picketlink UndertowRedirectionHandler :
09:06:05,980 INFO [stdout] (default task-18) --------------------------->HeaderMap.put Content-Encoding UTF-8 09:06:05,980 INFO [stdout] (default task-18) io.undertow.util.HeaderMap.put(HeaderMap.java:746) 09:06:05,980 INFO [stdout] (default task-18) org.picketlink.identity.federation.bindings.wildfly.sp.UndertowRedirectionHandler.commonForPost(UndertowRedirectionHandler.java:122) 09:06:05,980 INFO [stdout] (default task-18) org.picketlink.identity.federation.bindings.wildfly.sp.UndertowRedirectionHandler.sendPost(UndertowRedirectionHandler.java:63) 09:06:05,980 INFO [stdout] (default task-18) org.picketlink.identity.federation.core.saml.workflow.ServiceProviderSAMLWorkflow.sendHttpPostBindingRequest(ServiceProviderSAMLWorkflow.java:207) 09:06:05,980 INFO [stdout] (default task-18) org.picketlink.identity.federation.core.saml.workflow.ServiceProviderSAMLWorkflow.sendRequestToIDP(ServiceProviderSAMLWorkflow.java:140) 09:06:05,980 INFO [stdout] (default task-18) org.picketlink.identity.federation.bindings.wildfly.sp.SPFormAuthenticationMechanism.generalUserRequest(SPFormAuthenticationMechanism.java:605) 09:06:05,980 INFO [stdout] (default task-18) org.picketlink.identity.federation.bindings.wildfly.sp.SPFormAuthenticationMechanism.sendChallenge(SPFormAuthenticationMechanism.java:259) 09:06:05,980 INFO [stdout] (default task-18) io.undertow.security.impl.SecurityContextImpl$ChallengeSender.transition(SecurityContextImpl.java:301) 09:06:05,980 INFO [stdout] (default task-18) io.undertow.security.impl.SecurityContextImpl$ChallengeSender.transition(SecurityContextImpl.java:319) 09:06:05,980 INFO [stdout] (default task-18) io.undertow.security.impl.SecurityContextImpl$ChallengeSender.access$300(SecurityContextImpl.java:284) 09:06:05,980 INFO [stdout] (default task-18) io.undertow.security.impl.SecurityContextImpl.sendChallenges(SecurityContextImpl.java:130) 09:06:05,980 INFO [stdout] (default task-18) io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:102) 09:06:05,980 INFO [stdout] (default task-18) io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:107) 09:06:05,980 INFO [stdout] (default task-18) io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:92) 09:06:05,980 INFO [stdout] (default task-18) io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
Can that be removed? Or should that have been setting a UTF-8 value to a Content-Type header instead of Content-Encoding?
- is incorporated by
-
JBEAP-28270 (7.4.z) Upgrade PicketLink bindings from 2.5.5.SP12-redhat-00016 to 2.5.5.SP12-redhat-00017
- Ready for QA