SEC-1701: Trim claimed identity parameter value before submitting to OpenID4Java.

2025-07-13 05:43:29 +00:00 · 2011-03-25 19:09:32 +00:00 · 2011-03-25 19:09:32 +00:00 · 198d5d0482
commit 198d5d0482
parent acee3e2593
2 changed files with 17 additions and 15 deletions
--- a/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationFilter.java
+++ b/openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationFilter.java
@ -15,19 +15,6 @@

 package org.springframework.security.openid;

-import java.io.IOException;
-import java.net.MalformedURLException;
-import java.net.URL;
-import java.util.Collections;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.Map;
-import java.util.Set;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpSession;
-
 import org.openid4java.consumer.ConsumerException;
 import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.security.core.Authentication;
@ -38,6 +25,14 @@ import org.springframework.security.web.authentication.rememberme.AbstractRememb
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;

+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.util.*;
+

 /**
 * Filter which processes OpenID authentication requests.
@ -239,7 +234,14 @@ public class OpenIDAuthenticationFilter extends AbstractAuthenticationProcessing
     * Reads the <tt>claimedIdentityFieldName</tt> from the submitted request.
     */
    protected String obtainUsername(HttpServletRequest req) {
-        return req.getParameter(claimedIdentityFieldName);
+        String claimedIdentity = req.getParameter(claimedIdentityFieldName);
+
+        if (!StringUtils.hasText(claimedIdentity)) {
+            logger.error("No claimed identity supplied in authentication request");
+            return "";
+        }
+
+        return claimedIdentity.trim();
    }

    /**
--- a/openid/src/test/java/org/springframework/security/openid/OpenIDAuthenticationFilterTests.java
+++ b/openid/src/test/java/org/springframework/security/openid/OpenIDAuthenticationFilterTests.java
@ -45,7 +45,7 @@ public class OpenIDAuthenticationFilterTests {
        MockHttpServletRequest req = new MockHttpServletRequest("GET", REQUEST_PATH);
        MockHttpServletResponse response = new MockHttpServletResponse();

-        req.setParameter("openid_identifier", CLAIMED_IDENTITY_URL);
+        req.setParameter("openid_identifier", " " + CLAIMED_IDENTITY_URL);
        req.setRemoteHost("www.example.com");

        filter.setConsumer(new MockOpenIDConsumer() {