DefaultCasProtocolAttributeEncoder attribute name sanitizing logic is broken

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

DefaultCasProtocolAttributeEncoder attribute name sanitizing logic is broken

Kirill Gagarski
CAS tries to escape attribute names in CAS protocol response if they contain ':' and '@' symbols. 

In CAS 5.3 (I know it's unsupported) it uses HEX-encoding of such names. When I am trying to release some SAML standard attributes (e. g. urn:oid:1.3.6.1.4.1.5923.1.1.1.9) using CAS protocol I have the following attributes map in the response:

<cas:attributes> 
           <! -- Skipped for clarity -->
           <cas:75726e3a6f69643a312e332e362e312e342e312e353932332e312e312e312e39>[hidden email]</cas:75726e3a6f69643a312e332e362e312e342e312e353932332e312e312e312e39>
           
<! -- Skipped for clarity -->
</cas:attributes>


75726e3a6f69643a312e332e362e312e342e312e353932332e312e312e312e39 is not a valid XML tag name. XML tag name cannot start with a digit. Client libraries cannot even parse this XML!

I can see that this behavior has changed for some reason in master branch. Now it uses Base64 encoding for attribute names (same as for values). Which does not solve this problem (Base64 encoded string still can start with a digit) but makes it even worse (Base64 has / and = symbols which should not be present in a tag name)


--
You received this message because you are subscribed to the Google Groups "CAS Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/d452004d-7142-4b8f-896f-22c6ccf412d2%40apereo.org.