ensure the session cookie value are being properly encoded
authorlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Tue, 28 Oct 2008 07:03:31 +0000 (07:03 +0000)
committerlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Tue, 28 Oct 2008 07:03:31 +0000 (07:03 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/branches/REL_2@2791 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

src/main/java/edu/internet2/middleware/shibboleth/idp/authn/AuthenticationEngine.java
src/main/java/edu/internet2/middleware/shibboleth/idp/session/IdPSessionFilter.java

index 21d9b68..847d2ad 100644 (file)
@@ -45,6 +45,7 @@ import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
 import org.opensaml.saml2.core.AuthnContext;
 import org.opensaml.util.storage.ExpiringObject;
 import org.opensaml.util.storage.StorageService;
+import org.opensaml.ws.transport.http.HTTPTransportUtils;
 import org.opensaml.xml.util.Base64;
 import org.opensaml.xml.util.DatatypeHelper;
 import org.slf4j.Logger;
@@ -729,9 +730,11 @@ public class AuthenticationEngine extends HttpServlet {
         }
 
         LOG.debug("Adding IdP session cookie to HTTP response");
-        Cookie sessionCookie = new Cookie(IDP_SESSION_COOKIE_NAME, Base64.encodeBytes(remoteAddress,
-                Base64.DONT_BREAK_LINES)
-                + "|" + Base64.encodeBytes(sessionId, Base64.DONT_BREAK_LINES) + "|" + signature);
+        StringBuilder cookieValue = new StringBuilder();
+        cookieValue.append(Base64.encodeBytes(remoteAddress, Base64.DONT_BREAK_LINES)).append("|");
+        cookieValue.append(Base64.encodeBytes(sessionId, Base64.DONT_BREAK_LINES)).append("|");
+        cookieValue.append(signature);
+        Cookie sessionCookie = new Cookie(IDP_SESSION_COOKIE_NAME, HTTPTransportUtils.urlEncode(cookieValue.toString()));
 
         String contextPath = httpRequest.getContextPath();
         if (DatatypeHelper.isEmpty(contextPath)) {
index a8e9ff9..3bbb3be 100644 (file)
@@ -32,6 +32,7 @@ import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 
 import org.joda.time.DateTime;
+import org.opensaml.ws.transport.http.HTTPTransportUtils;
 import org.opensaml.xml.util.Base64;
 import org.opensaml.xml.util.DatatypeHelper;
 import org.slf4j.Logger;
@@ -133,7 +134,7 @@ public class IdPSessionFilter implements Filter {
         // index 0: remote address
         // index 1: session ID
         // index 2: Base64(HMAC(index 0 + index 1))
-        String[] valueComponents = sessionCookie.getValue().split("\\|");
+        String[] valueComponents = HTTPTransportUtils.urlDecode(sessionCookie.getValue()).split("\\|");
         byte[] remoteAddressBytes = Base64.decode(valueComponents[0]);
         byte[] sessionIdBytes = Base64.decode(valueComponents[1]);
         byte[] signatureBytes = Base64.decode(valueComponents[2]);