AxelNennker / openinfocard

Automatically exported from code.google.com/p/openinfocard
0 stars 0 forks source link

STS and Mex content-length off by one #8

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
There is a bug in the content-length set by the servlets.

    response.setContentLength(stsResponse.length());
    ...
    PrintWriter out = response.getWriter();
    out.println(stsResponse);

The problem is that the content length is set, then a 'println' is used to
write the response.  The 'println' adds a newline character to the end of
whatever it's writing.  Tomcat didn't seem to care, but it caused a warning
with Jetty.  The major problem is that this leads CardSpace to drop entire
connections.  The result is that authentication to the STS can occasionally
fail.  In looking into it, MS can consider content-length violations to be
a security violation, and I saw errors in the Event Viewer to that regard.

This affects STSServlet and MexServlet.

Original issue reported on code.google.com by enriqu...@gmail.com on 16 Jan 2007 at 5:09