DefaultCasProtocolAttributeEncoder attribute name sanitizing logic is broken
10 views
Skip to first unread message
Kirill Gagarski
Apr 29, 2020, 7:22:28 AM4/29/20
to CAS Developer
CAS tries to escape attribute names in CAS protocol response if they contain ':' and '@' symbols.
In CAS 5.3 (I know it's unsupported) it uses HEX-encoding of such names. When I am trying to release some SAML standard attributes (e. g. urn:oid:1.3.6.1.4.1.5923.1.1.1.9) using CAS protocol I have the following attributes map in the response:
<cas:attributes>
<! -- Skipped for clarity -->
<cas:75726e3a6f69643a312e332e362e312e342e312e353932332e312e312e312e39>mem...@example.com</cas:75726e3a6f69643a312e332e362e312e342e312e353932332e312e312e312e39>
<! -- Skipped for clarity -->
</cas:attributes>
<cas:75726e3a6f69643a312e332e362e312e342e312e353932332e312e312e312e39>mem...@example.com</cas:75726e3a6f69643a312e332e362e312e342e312e353932332e312e312e312e39>
<! -- Skipped for clarity -->
</cas:attributes>
75726e3a6f69643a312e332e362e312e342e312e353932332e312e312e312e39 is not a valid XML tag name. XML tag name cannot start with a digit. Client libraries cannot even parse this XML!
I can see that this behavior has changed for some reason in master branch. Now it uses Base64 encoding for attribute names (same as for values). Which does not solve this problem (Base64 encoded string still can start with a digit) but makes it even worse (Base64 has / and = symbols which should not be present in a tag name)
Reply all
Reply to author
Forward
0 new messages