pac4j / undertow-pac4j Goto Github PK

In the UndertowProfileManager.

As of version 4.0.0 UndertowWebContext uses Undertow's HttpServerExchange.addPathParam(...) to store request attributes. Since path parameters are strings, undertow-pac4j uses Java serialization and base64 encoding to convert any object to a string. This is problematic for us, because we use non-serializable objects in our UserProfile object.

Is there a particular reason why string path parameters have to be used? Instead, HttpServerExchange has support for attachments, which could contain any objects, not just strings. This would also remove the overhead of serialization.

We have been able to work around it by extending UndertowWebContext and overriding the methods responsible for request parameters to use attachments instead, and it works for us. Happy to contribute via a pull request if this is of use.

Pac4j-core < 5.2.0 seems to be affected by CVE-2021-44878. This causes automated dependency scanners to raise an alarm if the most recent version of undertow-pac4j is defined as a dependency.

I kindly ask you to update the reference in the pom.xml accordingly and release a new version to the maven repos.

Thanks!

Is there anything hindering this project from beeing released on maven central? I'd love to be able to just install it via maven.

Also, I was unable to find it on Sonatype, any hints?

In Undertow, cookie max age is an Integer and in Pac4J, it is an int where null is represented as -1. This difference is not well handled in UndertowWebContext, e.g. a NullPointerException is thrown when cookie max age is null in Undertow.

I will submit a pull request asap.

as much as possible when storing / retrieving "request attributes".

Make the JAVA_SERIALIZATION_HELPER public.

This line throws an exception for me:

java.lang.ArrayStoreException: arraycopy: element type mismatch: can not cast one of the elements of java.lang.Object[] to the type of the destination array, java.lang.String

This happens when trying to get the request parameters from the callback post in the open id connect code flow. It's trying to get the "code" parameter.

So trying to cast a FormValueImpl to a String doesn't work?

Running the latest release versions and tried with both java 11 and java 17 both with the same error.

I'm using undertow-pac4j v1.2.3 with pac4j-oidc v2.2.1, like this:

<dependency>
    <groupId>org.pac4j</groupId>
    <artifactId>undertow-pac4j</artifactId>
    <version>1.2.3</version>
    <exclusions>
        <!-- Rely on transitive dependency of pac4j-oidc (undertow-pac4j is a bit behind) -->
        <exclusion>
            <groupId>org.pac4j</groupId>
            <artifactId>pac4j-core</artifactId>
        </exclusion>
    </exclusions>
</dependency>
            
<dependency>
    <groupId>org.pac4j</groupId>
    <artifactId>pac4j-oidc</artifactId>
    <version>2.2.1</version>
</dependency>

Right now this gets me:

java.lang.NoClassDefFoundError: org/pac4j/core/engine/ApplicationLogoutLogic
	at com.mycompany.webapi.TraceDisabledTest.setup(TraceDisabledTest.java:24)
Caused by: java.lang.ClassNotFoundException: org.pac4j.core.engine.ApplicationLogoutLogic
	at com.mycompany.webapi.TraceDisabledTest.setup(TraceDisabledTest.java:24)

I'll try with pac4j v1.9.9, but it would still be nice to be on a somewhat recent version.
Anyway, thanks a ton for pac4j, after reading the docs and demo app it's pretty straightforward to integrate!

Edit: This seems to be the same problem as reported on the mailing list.

• Javadoc
• make the build work with Java 8

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Error type: undefined. Note: this is a nested preset so please contact the preset author if you are unable to fix it yourself.

Hi, using pac4j 3.8.3, undertow-pac4j 3.0.0, and undertow-servlet 2.1.0.Final.

Here's my flow leading to the unexpected:

1. So i login using a user with roles of 'admin,developer', and the menu available for developer is visible in my rendered html.
2. Then i remove the developer role using update t_user set roles = 'admin' where id = 'anana';
3. And i tried browser refresh, and the menu for developer is still visible.
4. I tried relogin, hoping to clear the caching somewhere, but the menu is still there.
5. I had to restart undertow and login with that user, and finally the menu for developer is now not rendered.

In my case, i always get the User instance using getActor(HttpServerExchange exchange), there are no caching from my application code:

public User getActor(HttpServerExchange exchange) {
	SecurityContext securityContext = exchange.getSecurityContext();
	if (securityContext != null) {
		Account account = securityContext.getAuthenticatedAccount();
		if (account instanceof Pac4jAccount) {
			List<CommonProfile> profiles= ((Pac4jAccount) account).getProfiles();
			CommonProfile profile = profiles.get(0);
			Map<String, Object> attributes = profile.getAttributes();
			return User.builder()
				.withId(profile.getId())
				.withEmail((String) attributes.get("email"))
				.withRoles((String) attributes.get("roles"))
				.withName(profile.getDisplayName())
				.build();
		}
	} else {
		System.out.println("null security context !");
	}
	return null;
}

Any pointers to have the User instance to reflect the live database without having to restarting the server ?
Thank you ..

Hi pac4j team,

It seems that undertow-pac4j hasnt been updated to reflect the latest pac4j v4.x.x version.

I tried using the v4 of pac4j-core, with the pac4j-undertow v3.0.0 and this occurs:

java.lang.NoSuchMethodError: 'void org.pac4j.core.engine.DefaultSecurityLogic.setProfileManagerFactory(java.util.function.Function)'
	at org.pac4j.undertow.handler.SecurityHandler.<init>(SecurityHandler.java:48)
	at org.pac4j.undertow.handler.SecurityHandler.build(SecurityHandler.java:78)
	at org.pac4j.undertow.handler.SecurityHandler.build(SecurityHandler.java:74)
	at org.pac4j.undertow.handler.SecurityHandler.build(SecurityHandler.java:70)
	at org.pac4j.undertow.handler.SecurityHandler.build(SecurityHandler.java:66)
	at org.pac4j.undertow.handler.SecurityHandler.build(SecurityHandler.java:62)

Any plans to 'upgrade' this ?

Thank you !

and all dependencies, Java 8...

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• Update dependency org.apache.maven.plugins:maven-javadoc-plugin to v3.7.0

Ignored or Blocked

These are blocked by an existing closed PR and will not be recreated unless you click a checkbox below.

• Update dependency com.github.spotbugs:spotbugs-maven-plugin to v4.8.5.0
• Update dependency org.pac4j:pac4j-core to v6

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository