From cfea4d4228d0ffa84a50185c952bf761518c46fb Mon Sep 17 00:00:00 2001
From: d036670 <markus.strehle@sap.com>
Date: Thu, 11 Apr 2024 20:57:26 +0200
Subject: [PATCH] Remove direct usage of commons-httpclient 3.1

opensaml and spring-security-saml2 still use it
---
 dependencies.gradle                                      | 1 -
 server/build.gradle                                      | 1 -
 .../oauth/ExternalOAuthAuthenticationFilter.java         | 4 ++--
 uaa/build.gradle                                         | 5 +++--
 .../identity/uaa/mock/token/TokenMvcMockTests.java       | 9 ++++-----
 5 files changed, 9 insertions(+), 11 deletions(-)

diff --git a/dependencies.gradle b/dependencies.gradle
index 260a84c7e51..4fe529c3e8e 100644
--- a/dependencies.gradle
+++ b/dependencies.gradle
@@ -131,7 +131,6 @@ libraries.xmlSecurity = "org.apache.santuario:xmlsec:4.0.2"
 libraries.orgJson = "org.json:json:20240303"
 libraries.owaspEsapi = "org.owasp.esapi:esapi:2.5.3.1"
 libraries.jodaTime = "joda-time:joda-time:2.12.7"
-libraries.commonsHttpClient = "commons-httpclient:commons-httpclient:3.1"
 libraries.apacheHttpClient = "org.apache.httpcomponents:httpclient:4.5.14"
 
 // gradle plugins
diff --git a/server/build.gradle b/server/build.gradle
index 0b9629f083a..e41c19bd503 100644
--- a/server/build.gradle
+++ b/server/build.gradle
@@ -30,7 +30,6 @@ dependencies {
         exclude(module: "xalan")
     }
     implementation(libraries.jodaTime)
-    implementation(libraries.commonsHttpClient)
     implementation(libraries.xmlSecurity)
     implementation(libraries.springSessionJdbc)
 
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationFilter.java b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationFilter.java
index 7f53f46c7a6..80af3dca9a9 100644
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationFilter.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthAuthenticationFilter.java
@@ -1,6 +1,6 @@
 package org.cloudfoundry.identity.uaa.provider.oauth;
 
-import org.apache.commons.httpclient.util.URIUtil;
+import org.apache.commons.io.FilenameUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.cloudfoundry.identity.uaa.authentication.UaaAuthenticationDetails;
 import org.cloudfoundry.identity.uaa.login.AccountSavingAuthenticationSuccessHandler;
@@ -92,7 +92,7 @@ private boolean containsCredentials(final HttpServletRequest request) {
   private boolean authenticationWasSuccessful(
       final HttpServletRequest request,
       final HttpServletResponse response) throws IOException {
-    final String origin = URIUtil.getName(String.valueOf(request.getRequestURL()));
+    final String origin = FilenameUtils.getName(request.getRequestURI());
     final String code = request.getParameter("code");
     final String idToken = request.getParameter("id_token");
     final String accessToken = request.getParameter("access_token");
diff --git a/uaa/build.gradle b/uaa/build.gradle
index 7c6616f4e32..84c4f17dd8e 100644
--- a/uaa/build.gradle
+++ b/uaa/build.gradle
@@ -86,7 +86,9 @@ dependencies {
     testImplementation(libraries.springSessionJdbc)
     testImplementation(libraries.springTest)
     testImplementation(libraries.springSecurityLdap)
-    testImplementation(libraries.springSecuritySaml)
+    testImplementation(libraries.springSecuritySaml) {
+        exclude(module: "commons-httpclient")
+    }
     testImplementation(libraries.springSecurityTest)
     testImplementation(libraries.springBootStarterMail)
     testImplementation(libraries.mockito)
@@ -95,7 +97,6 @@ dependencies {
     testImplementation(libraries.greenmail)
     testImplementation(libraries.jodaTime)
     testImplementation(libraries.commonsIo)
-    testImplementation(libraries.commonsHttpClient)
     testImplementation(libraries.owaspEsapi)
     testImplementation(libraries.apacheHttpClient)
 }
diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/TokenMvcMockTests.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/TokenMvcMockTests.java
index 1bf76359cc7..07d666e559a 100644
--- a/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/TokenMvcMockTests.java
+++ b/uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/TokenMvcMockTests.java
@@ -3,6 +3,7 @@
 import java.net.URI;
 import java.net.URL;
 import java.net.URLDecoder;
+import java.nio.charset.Charset;
 import java.nio.charset.StandardCharsets;
 import java.sql.Timestamp;
 import java.util.ArrayList;
@@ -22,7 +23,6 @@
 import java.util.TreeSet;
 import javax.servlet.http.HttpSession;
 
-import org.cloudfoundry.identity.uaa.client.UaaClientDetails;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
 import org.springframework.jdbc.core.JdbcTemplate;
@@ -38,7 +38,6 @@
 import org.springframework.security.oauth2.common.util.OAuth2Utils;
 import org.springframework.security.oauth2.provider.AuthorizationRequest;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
-import org.cloudfoundry.identity.uaa.client.UaaClientDetails;
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
 import org.springframework.security.web.savedrequest.SavedRequest;
 import org.springframework.test.context.TestPropertySource;
@@ -55,12 +54,12 @@
 
 import com.fasterxml.jackson.core.type.TypeReference;
 import org.apache.commons.collections4.map.HashedMap;
-import org.apache.commons.httpclient.util.URIUtil;
 import org.cloudfoundry.identity.uaa.DefaultTestContext;
 import org.cloudfoundry.identity.uaa.account.UserInfoResponse;
 import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication;
 import org.cloudfoundry.identity.uaa.authentication.UaaAuthenticationDetails;
 import org.cloudfoundry.identity.uaa.authentication.UaaPrincipal;
+import org.cloudfoundry.identity.uaa.client.UaaClientDetails;
 import org.cloudfoundry.identity.uaa.constants.OriginKeys;
 import org.cloudfoundry.identity.uaa.login.util.RandomValueStringGenerator;
 import org.cloudfoundry.identity.uaa.mock.util.OAuthToken;
@@ -1542,7 +1541,7 @@ void invalidScopeErrorMessageIsNotShowingAllClientScopes() throws Exception {
 
         UriComponents locationComponents = UriComponentsBuilder.fromUri(URI.create(mvcResult.getResponse().getHeader("Location"))).build();
         MultiValueMap<String, String> queryParams = locationComponents.getQueryParams();
-        String errorMessage = URIUtil.encodeQuery("scim.write is invalid. Please use a valid scope name in the request");
+        String errorMessage = UriUtils.encodeQuery("scim.write is invalid. Please use a valid scope name in the request", Charset.defaultCharset());
         assertFalse(queryParams.containsKey("scope"));
         assertEquals(errorMessage, queryParams.getFirst("error_description"));
     }
@@ -1571,7 +1570,7 @@ void invalidScopeErrorMessageIsNotShowingAllUserScopes() throws Exception {
 
         UriComponents locationComponents = UriComponentsBuilder.fromUri(URI.create(mvcResult.getResponse().getHeader("Location"))).build();
         MultiValueMap<String, String> queryParams = locationComponents.getQueryParams();
-        String errorMessage = URIUtil.encodeQuery("[something.else] is invalid. This user is not allowed any of the requested scopes");
+        String errorMessage = UriUtils.encodeQuery("[something.else] is invalid. This user is not allowed any of the requested scopes", Charset.defaultCharset());
         assertFalse(queryParams.containsKey("scope"));
         assertEquals(errorMessage, queryParams.getFirst("error_description"));
     }