Skip to content

Remove dependency on conmmons-codec by using java.util.Base64 #11318

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
j3graham opened this issue Jun 1, 2022 · 1 comment
Closed

Remove dependency on conmmons-codec by using java.util.Base64 #11318

j3graham opened this issue Jun 1, 2022 · 1 comment
Assignees
@rwinch
Labels
status: duplicate A duplicate of another issue type: enhancement A general enhancement

Comments

@j3graham
Copy link
Contributor

j3graham commented Jun 1, 2022

Currently some tests and one production class make use of commons-codec. The extra external dependency could be removed with the move to a Java 17 baseline

Updating the tests is straightforward.

The usage in Saml2AuthenticationTokenConverter needs some extra attention.

Currently the token converter uses the STRICT policy on the Base64 decoder. This disallows decoding of some "non-canonical" inputs, that could not have been generated by a compliant encoder.

Unfortunately java.util.Base64 does not support the equivalent behaviour.

There is a test for the token converter that fails without this strictness, so extra checking would be needed.

I have written code to do this additional checking.

Independently, it would be interesting to confirm whether SAML requires rejection of non-canonical Base64, and if so, how strict a definition of canonical is appropriate to enforce.

PR to follow.

Refs:
java.util.base64 accepts non-canonical encodings: https://www.mail-archive.com/[email protected]/msg66424.html
Definition of "canonical Base64": https://datatracker.ietf.org/doc/html/rfc4648#section-3.5
@j3graham j3graham added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Jun 1, 2022
This was referenced Jun 1, 2022
Merged
Merged
@rwinch
Copy link
Member

rwinch commented Jun 2, 2022
edited
Loading

Closing in favor of gh-11319 gh-1322

@rwinch rwinch closed this as completed Jun 2, 2022
@rwinch rwinch added status: duplicate A duplicate of another issue and removed status: waiting-for-triage An issue we've not yet triaged labels Jun 2, 2022
@rwinch rwinch self-assigned this Jun 2, 2022
jzheaux pushed a commit that referenced this issue Jun 9, 2022
@j3graham @jzheaux
Remove dependency on commons-codec by using java.util.Base64
f3c96fa 
Closes gh-11318
jzheaux pushed a commit that referenced this issue Jun 9, 2022
@j3graham @jzheaux
Remove dependency on commons-codec by using java.util.Base64
29ba67b 
Closes gh-11318
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rwinch rwinch

Labels
status: duplicate A duplicate of another issue type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rwinch @j3graham