Details

    • Type: Bug
    • Status: Resolved (View workflow)
    • Priority: High
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 8.4.0.1
    • Component/s: None
    • Labels:
      None
    • Epic Link:
    • Sprint:
      Sprint 135
    • Story Points:
      5
    • Capitalizable:
      True

      Description

      Repose currently doesn't support Form Encoded requests (Content-Type: application/x-www-form-urlencoded) which we need to support for SAML (POST Binding).

      We're supposed to be able to get the form parameters using the request.getParameter() method, but the org.eclipse.jetty.server.Request class won't extract the form parameters from the body if its getInputStream() method has been called.

      I've identified two places we'll need to look at.

      We're calling the getInputStream() on the Request object in PowerFilter:
      https://github.com/rackerlabs/repose/blob/master/repose-aggregator/core/repose-core/src/main/java/org/openrepose/powerfilter/PowerFilter.java#L360-L362

      Currently, that's what's disabling the form encoding extraction.

      After we fix that, we might also run into issues with HttpServletRequestWrapper's constructor. The one parameter constructor calls the two parameter constructor with the original request's input stream. Depending on how we fix the PowerFilter, this might call into the original request's getInputStream() method.

      We may also want to take into consideration what other filters Identity uses and make the recommendation that this filter be one of the first filters in the filter chain that would try to (effectively) read the body. This is what their filter chain looked like the last time they mentioned it (Jan 5 on Slack):

            <filter name="rackspace-auth-user" />
            <filter name="header-translation" />
            <filter name="ip-user" />
            <filter name="uri-user" />
            <filter name="slf4j-http-logging" />
            <filter name="rate-limiting" />
            <filter name="cors"/>
            <filter name="content-type-stripper" />
            <filter name="translation" />
            <filter name="herp" />
      

      Developer notes:
      To recreate the issue, you can run the SamlFlow10Test functional test and debug Repose with a breakpoint at HttpServletRequestWrapper at the getParameter() method. If you dig into the original request of each wrapper until you get to the org.eclipse.jetty.server.Request object, you can check the _inputState field to see the state of the class. If it's 1 (which means _STREAM), then getInputStream() has already been called. If it's 0 (which means __NONE), then any call to getParameterValues() should kick off the form parameter extraction.

      Acceptance Criteria:

      • We are able to call request.getParameter() to get a form encoded parameter from the request.
      • The request wrapper doesn't prevent the extraction of form encoded parameters unless the filter explicitly takes action that reads in the InputStream.

        Attachments

          Issue links

            Activity

              People

              • Assignee:
                wdschei Bill Scheidegger
                Reporter:
                mario.lopez Mario Lopez
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: