Re: [saml-dev] Question about the base64 encoding in Browser/POST profile

["Abe Kang" <abrahamkang@earthlink.net>]

Hi Scott,

The encoding of HTML pages between two parties needs to be specified before
any data is transfered betwen them.  The encoding of HTML pages is
determined at the server.

The encoding of HTML pages tells the browser which encoding to use
automatically, it also determines the ecoding that is sent to a server from
the initially returned form.  In other words, if the encoding of a form is
in UTF-8, input text returned from a browser is encoded in UTF-8 as well.

There are basically two ways to specify the encoding of an HTML page :

1. Specify the encoding in the HTTP header(Examples in Java/JSP)

<%@ page contentType="text/html; charset=utf-8" %>

or

res.setContentType("text/html; charset=utf-8");


2. Specify the encoding in the HTML page header

<HTML><HEAD><TITLE>Html Ecoding Example</TITLE>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8">
</HEAD>
...
</HTML>


Input passed from a browser in a POST request is different from that in a
GET request:

· For POST requests, input is passed as part of the request body, and 8-bit
data is allowed.

· For GET requests, input is passed as part of a URL as an embedded query
string where every non-ASCII byte is encoded as %XX where XX is the
hexadecimal representation for the binary value of the byte.

The reason why a Relying Party and Asserting Parting need to agree on the
encoding prior to their interaction is because most JSP and Servlet
containers assume incoming form input is in the ISO-8859-1 encoding. As a
result, when the HttpServletRequest.getParameter() API is called, all
embedded %XX data of the input text is decoded, and the decoded input is
converted from ISO-8859-1 to Unicode and returned as a Java string.  This
results in corrupt data.

In order to properly convert the data from UTF-8 to Java's encoding
correctly you will need to do the following in your server code at the
receiving party:

String original = request.getParameter("assertion");
try
{
String real = new String(original.getBytes("8859_1"),"UTF8");
}
catch (UnsupportedEncodingException e)
{
String real = original;
}

or if you have a servlet 2.3 web container you could:

request.setCharacterEncoding("UTF8");
String real = request.getParameter("assertion");


I am interested in helping with the SAML 1.1 spec in any way possible.

I have already written a SAML chapter for OWASP's Web Application Security
Guidebook and have extensive experience with Internationalization (which use
different encodings).

Regards,
Abraham Kang
Security System Architect
Apexon


----- Original Message ----- 
From: "Scott Cantor" <cantor.2@osu.edu>
To: "'Westbrock, Jon [FRCO/RTC]'" <Jon.Westbrock@EmersonProcess.com>;
<saml-dev@lists.oasis-open.org>
Sent: Monday, March 17, 2003 9:28 AM
Subject: RE: [saml-dev] Question about the base64 encoding in Browser/POST
profile


> >Any insight you can provide would be appreciated.
>
> I think it would be useful for somebody with base64 and character encoding
knowledge to help address this issue in the 1.1 spec
> revision being worked on.
>
> Basically the answer to your question is that it's underspecified, and I
have no idea what the right text should be, but we need
> something better.
>
> -- Scott
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>