SAML & CAS Jakarta compliancy + SNAKEYAML CVE

37 views
Skip to first unread message

Nicolas Gaudin

unread,
Sep 13, 2022, 5:40:52 AM9/13/22
to Pac4j users mailing list
HI,

Would it be possible to have two packages -jakarta for Saml and Cas.
Indeed compile dependencies still refer to javax apis.

Plus in pac4j-saml, the dependency SnakeYaml (even in 1.31) is referenced as risky with CVE-2022-38752.

Many thanks in advance
Best regards,
Nicolas Gaudin

Jérôme LELEU

unread,
Sep 13, 2022, 7:31:45 AM9/13/22
to Nicolas Gaudin, Pac4j users mailing list
Hi,

The pac4j-saml and pac4j-cas dependencies should not depend on javax APIs, only the javaee-pac4j dependency.

Can you give me an example?

Thanks.
Best regards,
Jérôme


--
You received this message because you are subscribed to the Google Groups "Pac4j users mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pac4j-users/f5b39686-2432-4e08-983c-1180a5d3d075n%40googlegroups.com.

Jérôme LELEU

unread,
Sep 14, 2022, 1:53:17 AM9/14/22
to Pac4j users mailing list
Hi,

The javax.annotation references have been "cleaned" from the pac4j-saml dependency.

Can you test with the version 5.6.0-SNAPSHOT?

Thanks.
Best regards,
Jérôme

Nicolas Gaudin

unread,
Sep 14, 2022, 4:52:57 AM9/14/22
to Jérôme LELEU, Pac4j users mailing list
Hi 

Can’t find it on maven..
For pac4j-cas, javax dependency is coming from org.jasig.cas.client…
It seems that org.apereo should be used instead
Thks 


Envoyé de mon iPhone

Le 14 sept. 2022 à 07:53, Jérôme LELEU <lel...@gmail.com> a écrit :

Hi,

Jérôme LELEU

unread,
Sep 14, 2022, 5:04:29 AM9/14/22
to Nicolas Gaudin, Pac4j users mailing list
Hi,

You can find pac4j snapshots in the Sonatype sonapshots repository:

<repository>
<id>sonatype-nexus-snapshots</id>
<name>Sonatype Nexus Snapshots</name>
<url>https://oss.sonatype.org/content/repositories/snapshots</url>
<releases>
<enabled>false</enabled>
</releases>
<snapshots>
<enabled>true</enabled>
</snapshots>
</repository>

Yes, the Jasig/Apereo CAS client depends on the javax dependency, but this should not be used in pac4j-cas which has its own implementation.

Can you elaborate? Which error do you get?

Thanks.
Best regards,
Jérôme


Jérôme LELEU

unread,
Sep 15, 2022, 2:09:08 AM9/15/22
to Nicolas GAUDIN, pac4j...@googlegroups.com, Fabien DASTE
Hi,

"Being jakarta namespaces user, i can not use current pac4j-cas at this stage.": this is not clear to me. Can you log in with a CAS server or a SAML IdP? Do you get a ClassNotFoundException?


When you are in a JakartaEE environment, all packages are jakarta.* so if you have any import on javax.* (which are not in the JDK but in a javax JAR), you will get a ClassNotFoundException.
This is true if you import a class that itself imports a javax class.

In pac4j-cas, no class imports a javax class, but we import CAS client classes (org.jasig) and in all these CAS client classes, only CommunUtils has an import on javax.servlet.http.HttpServletRequest which is part of Tomcat 9 but not of Tomcat 10.

In my tests, I didn't get any ClassNotFoundException maybe because I don't call any method using this HttpServletRequest class, but anyway, I have removed the usage of CommonUtils (it was easy).

The Java CAS client has web stuffs and non-web stuffs. As we only use non-web stuffs, the CAS client web-stuffs won't be used and we don't care if they use JavaEE or JakartaEE.

I have also cleaned useless javax dependencies. See this commit: https://github.com/pac4j/pac4j/commit/5e84c0c04ff208d7d5431ee126b71e57ca22a397

Can you please make a real life test with version 5.6.0-SNAPSHOT using pac4j-cas or pac4j-saml dependencies?

Thanks.
Best regards,
Jérôme



Le mer. 14 sept. 2022 à 17:55, Nicolas GAUDIN <n.ga...@everwin.fr> a écrit :

Hi,

 

The pac4j-cas 5.5.0 has actual compile dependencies with org.jasig.cas.client that are not optional

 

 

BUT,

There is also a new artifact org.apereo.cas.client that jumped to jakarta namespace

https://github.com/apereo/java-cas-client and it is mavened in repository

 

Considering these two conflicting artifacts, it seems to me, according to the compile dependencies, that pac4j-cas and an other pac4j-cas-jakarta should coexist.

But i may be wrong…

 

Being jakarta namespaces user, i can not use current pac4j-cas at this stage.

 

Many thanks , once again, for your time and reactivity

 

Cordialement,

LinkedIn

Instagram

Twitter

Facebook

YouTube

Nicolas GAUDIN

Directeur R&D iVision

 

+33561002822

 

n.ga...@everwin.fr

 

244 route de Seysses Hall IV ‑ 1er étage

31100

Toulouse

www.everwin.fr

 

 

 


Début du message transféré :

De: Jérôme LELEU <lel...@gmail.com>
Date: 14 septembre 2022 à 11:04:29 UTC+2

Cc: Pac4j users mailing list <pac4j...@googlegroups.com>
Objet: Rép. : SAML & CAS Jakarta compliancy + SNAKEYAML CVE



Jérôme LELEU

unread,
Sep 15, 2022, 4:05:04 AM9/15/22
to Nicolas GAUDIN, pac4j...@googlegroups.com, Fabien DASTE
Hi,

I fully understand: it must work and no javax dependency must remain when you are in a JakartaEE environment.

It should be much better now: you'll tell me.

About the release date, nothing is planned yet, it can be very soon if needed.

Thanks.
Best regards,
Jérôme


Le jeu. 15 sept. 2022 à 09:03, Nicolas GAUDIN <n.ga...@everwin.fr> a écrit :

Hi,

 

I agree with you.

Let me describe it further to get the full view

We are in the process of checking all libraries that still have javax dependencies.. and in some case might cause issues..

Of course using exclusions in our pom and checking all is working properly is one option…but what if (not speaking of pac4j specifically, but other librairies perhaps), we use some features of a library that effectively need javax (via indirect use). We do not want to have to import these javax dependencies (remove exclusions).

 

So in this context and if possible, we try to optimize our dependency management to those libraries fully jakarta compatible.

(We also check libraries for potential CVEs)

 

Sure, I will ask to test 5.6.0-snapshot and we will get back to you asap.

 

Many thanks for the modifications you made. I think, you might agree, that it is a good thing at the end.

 

One last question : when do you plan to deliver 5.6.0 release ?

 

Best regards,

 

Cordialement,

LinkedIn

Instagram

Twitter

Facebook

YouTube

Nicolas GAUDIN

Directeur R&D iVision

 

+33561002822

 

n.ga...@everwin.fr

 

244 route de Seysses Hall IV ‑ 1er étage

31100

Toulouse

www.everwin.fr

 

 

 

De : Jérôme LELEU <lel...@gmail.com>
Envoyé : jeudi 15 septembre 2022 08:09
À : Nicolas GAUDIN <n.ga...@everwin.fr>
Cc : pac4j...@googlegroups.com; Fabien DASTE <f.d...@everwin.fr>
Objet : Re: SAML & CAS Jakarta compliancy + SNAKEYAML CVE

Jérôme LELEU

unread,
Sep 27, 2022, 8:46:28 AM9/27/22
to Pac4j users mailing list
Hi,

What's the outcome of your tests?
Is everything OK for JakartaEE?
Thanks.
Best regards,
Jérôme

Jérôme LELEU

unread,
Sep 29, 2022, 12:17:42 PM9/29/22
to Nicolas GAUDIN, Pac4j users mailing list, Fabien DASTE
Hi,

No problem. I just wanted to be sure I didn't miss your feedback.

This morning, I have released pac4j v5.6.0 (which is thus now available in the Maven central repository). This may help your tests.

Thanks.
Best regards,
Jérôme


Le jeu. 29 sept. 2022 à 18:09, Nicolas GAUDIN <n.ga...@everwin.fr> a écrit :

Hi Jérôme, 

 

Still on progress,  we are full booked…sorry about that.

Reply all
Reply to author
Forward
0 new messages