Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-28269

(7.4.z) org.picketlink.identity.federation.bindings.wildfly.sp.UndertowRedirectionHandler sets bad Content-Encoding

XMLWordPrintable

      A customer is complaining that some EAP 7.4.18 responses are providing a bad and invalid Content-Encoding header value of UTF-8 and this is raising flags in their security audit. With byteman tracing, I identified and confirmed the source of the header value and it is being set here by the picketlink UndertowRedirectionHandler :

      09:06:05,980 INFO  [stdout] (default task-18) --------------------------->HeaderMap.put Content-Encoding UTF-8
      09:06:05,980 INFO  [stdout] (default task-18) io.undertow.util.HeaderMap.put(HeaderMap.java:746)
      09:06:05,980 INFO  [stdout] (default task-18) org.picketlink.identity.federation.bindings.wildfly.sp.UndertowRedirectionHandler.commonForPost(UndertowRedirectionHandler.java:122)
      09:06:05,980 INFO  [stdout] (default task-18) org.picketlink.identity.federation.bindings.wildfly.sp.UndertowRedirectionHandler.sendPost(UndertowRedirectionHandler.java:63)
      09:06:05,980 INFO  [stdout] (default task-18) org.picketlink.identity.federation.core.saml.workflow.ServiceProviderSAMLWorkflow.sendHttpPostBindingRequest(ServiceProviderSAMLWorkflow.java:207)
      09:06:05,980 INFO  [stdout] (default task-18) org.picketlink.identity.federation.core.saml.workflow.ServiceProviderSAMLWorkflow.sendRequestToIDP(ServiceProviderSAMLWorkflow.java:140)
      09:06:05,980 INFO  [stdout] (default task-18) org.picketlink.identity.federation.bindings.wildfly.sp.SPFormAuthenticationMechanism.generalUserRequest(SPFormAuthenticationMechanism.java:605)
      09:06:05,980 INFO  [stdout] (default task-18) org.picketlink.identity.federation.bindings.wildfly.sp.SPFormAuthenticationMechanism.sendChallenge(SPFormAuthenticationMechanism.java:259)
      09:06:05,980 INFO  [stdout] (default task-18) io.undertow.security.impl.SecurityContextImpl$ChallengeSender.transition(SecurityContextImpl.java:301)
      09:06:05,980 INFO  [stdout] (default task-18) io.undertow.security.impl.SecurityContextImpl$ChallengeSender.transition(SecurityContextImpl.java:319)
      09:06:05,980 INFO  [stdout] (default task-18) io.undertow.security.impl.SecurityContextImpl$ChallengeSender.access$300(SecurityContextImpl.java:284)
      09:06:05,980 INFO  [stdout] (default task-18) io.undertow.security.impl.SecurityContextImpl.sendChallenges(SecurityContextImpl.java:130)
      09:06:05,980 INFO  [stdout] (default task-18) io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:102)
      09:06:05,980 INFO  [stdout] (default task-18) io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:107)
      09:06:05,980 INFO  [stdout] (default task-18) io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:92)
      09:06:05,980 INFO  [stdout] (default task-18) io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
      

      Can that be removed? Or should that have been setting a UTF-8 value to a Content-Type header instead of Content-Encoding?

              rhn-support-ivassile Ilia Vassilev
              rhn-support-ivassile Ilia Vassilev
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: