Description
Currently some tests and one production class make use of commons-codec. The extra external dependency could be removed with the move to a Java 17 baseline
Updating the tests is straightforward.
The usage in Saml2AuthenticationTokenConverter needs some extra attention.
Currently the token converter uses the STRICT policy on the Base64 decoder. This disallows decoding of some "non-canonical" inputs, that could not have been generated by a compliant encoder.
Unfortunately java.util.Base64 does not support the equivalent behaviour.
There is a test for the token converter that fails without this strictness, so extra checking would be needed.
I have written code to do this additional checking.
Independently, it would be interesting to confirm whether SAML requires rejection of non-canonical Base64, and if so, how strict a definition of canonical is appropriate to enforce.
PR to follow.
Refs:
java.util.base64 accepts non-canonical encodings: https://www.mail-archive.com/[email protected]/msg66424.html
Definition of "canonical Base64": https://datatracker.ietf.org/doc/html/rfc4648#section-3.5