Request InputStream empty
19 views
Skip to first unread message
Nicolas Crittin
Feb 10, 2025, 12:56:01 AMFeb 10
to Pac4j development mailing list
Hi,
The DefaultSecurityClientFinder class uses following code to search for force_client parameter in client request:
final var clientOnRequest = context.getRequestParameter(clientNameParameter);
This method wraps on request.getParameter() in JEEContext. The getParameter() searchs parameter in URL query AND in request form:
source: https://docs.oracle.com/javaee/6/api/javax/servlet/ServletRequest.html#getParameter(java.lang.String)
If the goal of that is to read force_client in URL parameters, it may be safer to parse URL directly. Now if force_client is expected in form data, then this means that payload must combine business data and authentication logic data, which is imho a bad idea.
More problematic, the getParameter() has a side effect on request payload: the reading of parameter in form data consumes the request input stream. This makes that input stream unreadable for application. For instance, I get empty result if I try to read it with following code:
try (InputStream in = request.getInputStream()) {
return IOUtils.toString(in, charset);
}
But if I try to read the payload just before the getRequestParameter() call, I can get data.
Now I can work arround by simply not defining clients init-param in my web.xml, but I think it would be a safer method to get that parameter by either parsing URL query string or searching for force_client in request header.
The DefaultSecurityClientFinder class uses following code to search for force_client parameter in client request:
final var clientOnRequest = context.getRequestParameter(clientNameParameter);
This method wraps on request.getParameter() in JEEContext. The getParameter() searchs parameter in URL query AND in request form:
I'm wondering if it is a good idea to use that method.
Javadoc says following:
[...] For HTTP servlets, parameters are contained in the query string or posted form data. source: https://docs.oracle.com/javaee/6/api/javax/servlet/ServletRequest.html#getParameter(java.lang.String)
If the goal of that is to read force_client in URL parameters, it may be safer to parse URL directly. Now if force_client is expected in form data, then this means that payload must combine business data and authentication logic data, which is imho a bad idea.
More problematic, the getParameter() has a side effect on request payload: the reading of parameter in form data consumes the request input stream. This makes that input stream unreadable for application. For instance, I get empty result if I try to read it with following code:
try (InputStream in = request.getInputStream()) {
return IOUtils.toString(in, charset);
}
But if I try to read the payload just before the getRequestParameter() call, I can get data.
Now I can work arround by simply not defining clients init-param in my web.xml, but I think it would be a safer method to get that parameter by either parsing URL query string or searching for force_client in request header.
Jérôme LELEU
Feb 10, 2025, 4:19:14 AMFeb 10
to Nicolas Crittin, Pac4j development mailing list
Hi,
Yes, reading the force_client parameter from the request form is overkill, but the main problem here is indeed the one you report, it unexpectedly consumes the request content.
I just submitted the following fixes:
Thanks.
Best regards,
Jérôme
--
You received this message because you are subscribed to the Google Groups "Pac4j development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-dev+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/pac4j-dev/f0445c63-35bc-4974-984d-5b4f5169ad0cn%40googlegroups.com.
Nicolas Crittin
Feb 10, 2025, 8:34:37 AMFeb 10
to Pac4j development mailing list
Mmmh not sure this is a good idea.
I get "missing_field" exception when I try to authenticate with indirect FormClient. Following code return null value :
Afaik request reader also consume input stream
Jérôme LELEU
Feb 10, 2025, 9:02:16 AMFeb 10
to Nicolas Crittin, Pac4j development mailing list
Hi,
I reverted my changes. Looks like we need a better solution here...
Thanks.
Best regards,
Jérôme
To view this discussion visit https://groups.google.com/d/msgid/pac4j-dev/8183bd3f-c437-4aa7-bc14-9db98404c88dn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages