Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-07 20:52:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-1753: Cater for missing DiscoveryInformation object in OpenID4JavaConsumer.endConsumption.

Browse Source
This commit is contained in:
Rob Winch 2012-10-02 16:37:25 -05:00
parent 5c4f4cbe4d
commit d50184deda
2 changed files with 34 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
openid/src/main/java/org/springframework/security/openid/OpenID4JavaConsumer.java
View File

@ -41,6 +41,7 @@ import org.openid4java.message.ax.FetchResponse;
/**
* @author Ray Krueger
* @author Rob Winch
*/
public class OpenID4JavaConsumer implements OpenIDConsumer {
private static final String DISCOVERY_INFO_KEY = DiscoveryInformation.class.getName();
@ -114,6 +115,10 @@ public class OpenID4JavaConsumer implements OpenIDConsumer {
// retrieve the previously stored discovery information
DiscoveryInformation discovered = (DiscoveryInformation) request.getSession().getAttribute(DISCOVERY_INFO_KEY);
if (discovered == null) {
throw new OpenIDConsumerException("DiscoveryInformation is not available. Possible causes are lost session or replay attack");
}
// extract the receiving URL from the HTTP request
StringBuffer receivingURL = request.getRequestURL();
String queryString = request.getQueryString();

29
openid/src/test/java/org/springframework/security/openid/OpenID4JavaConsumerTests.java Normal file
View File

@ -0,0 +1,29 @@
/*
* Copyright 2002-2012 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
* an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
* specific language governing permissions and limitations under the License.
*/
package org.springframework.security.openid;
import org.junit.Test;
import org.springframework.mock.web.MockHttpServletRequest;
/**
* @author Luke Taylor
* @author Rob Winch
*/
public class OpenID4JavaConsumerTests {
@Test(expected=OpenIDConsumerException.class)
public void missingDiscoveryInformationThrowsException() throws Exception {
OpenID4JavaConsumer consumer = new OpenID4JavaConsumer();
consumer.endConsumption(new MockHttpServletRequest());
}
}