• Type: Bug
    • Status: Resolved (View workflow)
    • Priority: High
    • Resolution: Done
    • Affects versions: None
    • Fix versions:
    • Components: None
    • Labels:
    • Epic Link:
    • Sprint:
      Sprint 135
    • Story Points:
    • Capitalizable:


      Repose currently doesn't support Form Encoded requests (Content-Type: application/x-www-form-urlencoded) which we need to support for SAML (POST Binding).

      We're supposed to be able to get the form parameters using the request.getParameter() method, but the org.eclipse.jetty.server.Request class won't extract the form parameters from the body if its getInputStream() method has been called.

      I've identified two places we'll need to look at.

      We're calling the getInputStream() on the Request object in PowerFilter:

      Currently, that's what's disabling the form encoding extraction.

      After we fix that, we might also run into issues with HttpServletRequestWrapper's constructor. The one parameter constructor calls the two parameter constructor with the original request's input stream. Depending on how we fix the PowerFilter, this might call into the original request's getInputStream() method.

      We may also want to take into consideration what other filters Identity uses and make the recommendation that this filter be one of the first filters in the filter chain that would try to (effectively) read the body. This is what their filter chain looked like the last time they mentioned it (Jan 5 on Slack):

            <filter name="rackspace-auth-user" />
            <filter name="header-translation" />
            <filter name="ip-user" />
            <filter name="uri-user" />
            <filter name="slf4j-http-logging" />
            <filter name="rate-limiting" />
            <filter name="cors"/>
            <filter name="content-type-stripper" />
            <filter name="translation" />
            <filter name="herp" />

      Developer notes:
      To recreate the issue, you can run the SamlFlow10Test functional test and debug Repose with a breakpoint at HttpServletRequestWrapper at the getParameter() method. If you dig into the original request of each wrapper until you get to the org.eclipse.jetty.server.Request object, you can check the _inputState field to see the state of the class. If it's 1 (which means _STREAM), then getInputStream() has already been called. If it's 0 (which means __NONE), then any call to getParameterValues() should kick off the form parameter extraction.

      Acceptance Criteria:

      • We are able to call request.getParameter() to get a form encoded parameter from the request.
      • The request wrapper doesn't prevent the extraction of form encoded parameters unless the filter explicitly takes action that reads in the InputStream.


          Issue links



              • Assignee:
                wdschei Bill Scheidegger
                mario.lopez Mario Lopez
              • Votes:
                0 Vote for this issue
                1 Start watching this issue


                • Created: