SAML: replace first number with random alphabet if request ID starts with a number (#6165)

plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAMLUtils.java

@@ -100,8 +100,11 @@ import com.cloud.utils.HttpUtils;
 public class SAMLUtils {
     public static final Logger s_logger = Logger.getLogger(SAMLUtils.class);
 
+    static final String charset = "abcdefghijklmnopqrstuvwxyz";
+
     public static String generateSecureRandomId() {
-        return new BigInteger(160, new SecureRandom()).toString(32);
+        return new BigInteger(160, new SecureRandom()).toString(32).replaceFirst("^[0-9]",
+                String.valueOf(charset.charAt(new SecureRandom().nextInt(charset.length()))));
     }
 
     public static String getValueFromAttributeStatements(final List<AttributeStatement> attributeStatements, final String attributeKey) {

plugins/user-authenticators/saml2/src/test/java/org/apache/cloudstack/SAMLUtilsTest.java

@@ -22,6 +22,7 @@ package org.apache.cloudstack;
 import java.security.KeyPair;
 import java.security.PrivateKey;
 import java.security.PublicKey;
+import java.util.regex.Pattern;
 
 import org.apache.cloudstack.saml.SAMLUtils;
 import org.apache.cloudstack.utils.security.CertUtils;
@@ -38,6 +39,15 @@ public class SAMLUtilsTest extends TestCase {
         assertTrue(SAMLUtils.generateSecureRandomId().length() > 0);
     }
 
+    @Test
+    public void testGenerateSecureRandomId2() throws Exception {
+        for (int i = 0; i < 20; i++) {
+            String randomId = SAMLUtils.generateSecureRandomId();
+            System.out.println("randomId is " + randomId);
+            assertTrue(Pattern.compile("^[a-z]").matcher(randomId).find());
+        }
+    }
+
     @Test
     public void testBuildAuthnRequestObject() throws Exception {
         String consumerUrl = "http://someurl.com";