From 198d5d048276979845523bdbe562e695d217a74f Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Fri, 25 Mar 2011 19:09:32 +0000 Subject: [PATCH] SEC-1701: Trim claimed identity parameter value before submitting to OpenID4Java. --- .../openid/OpenIDAuthenticationFilter.java | 30 ++++++++++--------- .../OpenIDAuthenticationFilterTests.java | 2 +- 2 files changed, 17 insertions(+), 15 deletions(-) diff --git a/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationFilter.java b/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationFilter.java index 4522981ec7..1facf5a090 100644 --- a/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationFilter.java +++ b/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationFilter.java @@ -15,19 +15,6 @@ package org.springframework.security.openid; -import java.io.IOException; -import java.net.MalformedURLException; -import java.net.URL; -import java.util.Collections; -import java.util.HashSet; -import java.util.Iterator; -import java.util.Map; -import java.util.Set; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import javax.servlet.http.HttpSession; - import org.openid4java.consumer.ConsumerException; import org.springframework.security.authentication.AuthenticationServiceException; import org.springframework.security.core.Authentication; @@ -38,6 +25,14 @@ import org.springframework.security.web.authentication.rememberme.AbstractRememb import org.springframework.util.Assert; import org.springframework.util.StringUtils; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; +import java.io.IOException; +import java.net.MalformedURLException; +import java.net.URL; +import java.util.*; + /** * Filter which processes OpenID authentication requests. @@ -239,7 +234,14 @@ public class OpenIDAuthenticationFilter extends AbstractAuthenticationProcessing * Reads the claimedIdentityFieldName from the submitted request. */ protected String obtainUsername(HttpServletRequest req) { - return req.getParameter(claimedIdentityFieldName); + String claimedIdentity = req.getParameter(claimedIdentityFieldName); + + if (!StringUtils.hasText(claimedIdentity)) { + logger.error("No claimed identity supplied in authentication request"); + return ""; + } + + return claimedIdentity.trim(); } /** diff --git a/openid/src/test/java/org/springframework/security/openid/OpenIDAuthenticationFilterTests.java b/openid/src/test/java/org/springframework/security/openid/OpenIDAuthenticationFilterTests.java index 621f5dd84c..54efad432a 100644 --- a/openid/src/test/java/org/springframework/security/openid/OpenIDAuthenticationFilterTests.java +++ b/openid/src/test/java/org/springframework/security/openid/OpenIDAuthenticationFilterTests.java @@ -45,7 +45,7 @@ public class OpenIDAuthenticationFilterTests { MockHttpServletRequest req = new MockHttpServletRequest("GET", REQUEST_PATH); MockHttpServletResponse response = new MockHttpServletResponse(); - req.setParameter("openid_identifier", CLAIMED_IDENTITY_URL); + req.setParameter("openid_identifier", " " + CLAIMED_IDENTITY_URL); req.setRemoteHost("www.example.com"); filter.setConsumer(new MockOpenIDConsumer() {