Uploaded image for project: 'PicketLink'
  1. PicketLink
  2. PLINK-776

[GSS](7.2.0) The fix for CVE-2017-2582 breaks the feature of attribute replacement with system property in picketlink.xml

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • None
    • None
    • None

      Picketlink/EAP 7.0.7 is passing the values as a system property but after an update to 7.0.8, variables aren't resolved anymore at picketlink startup.

      <PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
              <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1"
                      BindingType="POST"
                      LogOutPage="/myLogoutPage"
                      IDPUsesPostBinding="true"
                      SupportsSignatures="true">
      
                      <IdentityURL>${plink.IDPurl}</IdentityURL>
                      <ServiceURL>${plink.SPurl}</ServiceURL>
      ...
      

      in standalone.xml we defined the system properties:

      <system-properties>
      ...
            <property name="plink.IDPurl" value="https://www.myidp.com"/>
            <property name="plink.SPurl" value="https://mysp.com/"/>
      ...
      

      Error Snippet:

      2017-10-10 15:34:12,930 ERROR [org.picketlink.common] (ServerService Thread Pool -- 64) Exception creating TrustKeyManager:: java.net.MalformedURLException: no protocol: ${plink.IDPurl}
      

      The fix for Bug 1410481 - (CVE-2017-2582) CVE-2017-2582 picketlink, keycloak: SAML request parser replaces special strings with system properties is the cause of the issue.

              psilva@redhat.com Pedro Igor Craveiro
              vdosoudi@redhat.com Vladimir Dosoudil
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: