Uploaded image for project: 'Identity Gateway'
  1. Identity Gateway
  2. OPENIG-947

OpenIG 4.0 does not preserve query string

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Not a defect
    • Affects Version/s: 4.0.0
    • Fix Version/s: 4.0.0
    • Component/s: Core, OpenAM, SAML
    • Labels:
      None
    • Environment:
      OpenAM 13, OpenIG 4.0
    • Support Ticket IDs:

      Description

      When OpenIG 4.0 is reverse-proxying in front of a OpenAM 13 IDP, it has been discovered that OpenIG 4.0 does not preserve the raw input of the signed SAML request query string and resulted in a "Invalid Signature in Request" exception during a SP initiated SSO request

      The bug was traced in the OpenIG ( in this example, version 4.0 ). It does not preserve the query string

      A simple test case illustrated this issue

      Setup a vanilla OpenIG ( war file in Apache Tomcat A ) at port 8080 -> reverse proxy -> Apache Tomcat B at port 18080

      Place this snoop.jsp into the Apache Tomcat B @ port 18080

      snoop.jsp
      <%
          if(request.getQueryString()!=null)
          {
           out.write("QueryString is : " + request.getQueryString());
           }
       %>
      

      Run the following curl commands at each port where the query string is A=%2F&B=%3A

      curl -X GET  "http://puffer.example.com:8080/snoop.jsp?A=%2F&B=%3A"
      QueryString is : A=/&B=:
      
      curl -X GET  "http://puffer.example.com:18080/snoop.jsp?A=%2F&B=%3A"
      QueryString is : A=%2F&B=%3A
      

      Notice that OpenIG actually decode the query string before passing the string to the Apache Tomcat B at port 18080.

      MON APR 04 13:37:49 SGT 2016 (INFO) @Capture[{Router}/handler]
      
      
      --- (request) id:c36057f7-3241-47c5-999f-a04a0637597c-61 --->
      
      GET http://puffer.example.com:8080/snoop1.jsp?A=/&B=:
      HTTP/1.1
      accept: */*
      host: puffer.example.com:8080
      user-agent: curl/7.29.0
      
      ------------------------------
      MON APR 04 13:37:49 SGT 2016 (INFO) @Capture[{Router}/handler]
      
      
      <--- (response) id:c36057f7-3241-47c5-999f-a04a0637597c-61 ---
      
      HTTP/1.1 200 OK
      Content-Length: 28
      Content-Type: text/html; charset=ISO-8859-1
      Date: Mon, 04 Apr 2016 05:37:49 GMT
      Server: Apache-Coyote/1.1
      Set-Cookie: JSESSIONID=4D1FDFDC8A07E61CBF2EC2C2C20DBA3C; Path=/; HttpOnly
      
      QueryString is :: A=/&B=:
      
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                markdr Mark de Reeper
                Reporter:
                sam.phua Sam Phua
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: