From a573e7b395abeb1a7bafc391b0a251f789b30f08 Mon Sep 17 00:00:00 2001
From: Luke Taylor <luke.taylor@springsource.com>
Date: Tue, 20 Sep 2011 21:46:21 +0100
Subject: [PATCH] SEC-1820: Added null check for attributesToFetch in
 OpenID4JavaConsumer.

---
 .../springframework/security/openid/OpenID4JavaConsumer.java    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/openid/src/main/java/org/springframework/security/openid/OpenID4JavaConsumer.java b/openid/src/main/java/org/springframework/security/openid/OpenID4JavaConsumer.java
index ce24d25cda..1700927726 100644
--- a/openid/src/main/java/org/springframework/security/openid/OpenID4JavaConsumer.java
+++ b/openid/src/main/java/org/springframework/security/openid/OpenID4JavaConsumer.java
@@ -195,7 +195,7 @@ public class OpenID4JavaConsumer implements OpenIDConsumer {
     List<OpenIDAttribute> fetchAxAttributes(Message authSuccess, List<OpenIDAttribute> attributesToFetch)
             throws OpenIDConsumerException {
 
-        if (!authSuccess.hasExtension(AxMessage.OPENID_NS_AX)) {
+        if (attributesToFetch == null || !authSuccess.hasExtension(AxMessage.OPENID_NS_AX)) {
             return Collections.emptyList();
         }