CAS 5.3.x Introduces Breaking Change for RequestID in cas-server-support-saml

[Josh G]

CAS 5.3.x introduces a breaking change to how RequestIDs are handled when validating SAML Services.

In 5.2.x (and all previous version of CAS), if the RequestID is not present, it will gracefully fail by returning a null value:

https://github.com/apereo/cas/blob/5.2.x/support/cas-server-support-saml/src/main/java/org/apereo/cas/support/saml/authentication/principal/SamlServiceFactory.java

requestId = extractRequestId(requestBody); /**  * Extract request id from the body.  *  * @param requestBody the request body  * @return the string  */ private static String extractRequestId(final String requestBody) {     if (!requestBody.contains("RequestID")) {         LOGGER.debug("Request body does not contain a request id");         return null;     }     try {         final int position = requestBody.indexOf("RequestID=\"") + CONST_REQUEST_ID_LENGTH;         final int nextPosition = requestBody.indexOf('"', position);         return requestBody.substring(position, nextPosition);     } catch (final Exception e) {         LOGGER.debug("Exception parsing RequestID from request.", e);         return null;     } }

     

In 5.3.x, if the RequestID is not present it will throw a NullPointerException:

https://github.com/apereo/cas/blob/5.3.x/support/cas-server-support-saml/src/main/java/org/apereo/cas/support/saml/authentication/principal/SamlServiceFactory.java#L63

@NonNull final Attribute requestIdAttribute = requestChild.getAttribute("RequestID");

requestId = requestIdAttribute.getValue();

This change will break all versions of apereo/mod_auth_cas (See: https://github.com/apereo/mod_auth_cas/issues/148) along with any other client that does not properly implement support for the RequestID parameter.

This change should be reverted (this is as simple as removing the @NonNull Lombok annotation so the request will failback to a null response). Breaking every install of mod_auth_cas along with other legacy clients cannot be considered acceptable.

[Josh G]

Its worth mentioning this issue is related to the following from July:

https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/RequestId|sort:date/cas-user/tm8aQrzKDbc/e4I2dkgVCQAJ

https://groups.google.com/a/apereo.org/forum/#!searchin/cas-user/RequestId|sort:date/cas-user/iQSoUno6Bms/zrQf5Ex-CAAJ

I'd like to reiterate that patching the client is not a fix here, the core of 5.3 needs to be patched to gracefully accept a null RequestID as all previous versions of CAS have.

[Curtis Ruck]

or at least have a boolean that can be flipped to disable this.

[Josh G]

I agree. That would work just as well.

We're now stuck at 5.2.x and cannot move forward until this is patched. We have too many external vendor integrations that are impacted by this.

[Josh G]

It looks like this is patched in the latest 5.3.x branch! Big thanks to Misagh Moayyed! We will validate on the next release.

https://github.com/apereo/cas/blob/5.3.x/support/cas-server-support-saml/src/main/java/org/apereo/cas/support/saml/authentication/principal/SamlServiceFactory.java#L63