SEC-1753: Cater for missing DiscoveryInformation object in OpenID4JavaConsumer.endConsumption.

openid/src/main/java/org/springframework/security/openid/OpenID4JavaConsumer.java

@@ -144,6 +144,11 @@ public class OpenID4JavaConsumer implements OpenIDConsumer {
 
         // retrieve the previously stored discovery information
         DiscoveryInformation discovered = (DiscoveryInformation) request.getSession().getAttribute(DISCOVERY_INFO_KEY);
+
+        if (discovered == null) {
+            throw new OpenIDConsumerException("DiscoveryInformation is not available. Possible causes are lost session or replay attack");
+        }
+
         List<OpenIDAttribute> attributesToFetch = (List<OpenIDAttribute>) request.getSession().getAttribute(ATTRIBUTE_LIST_KEY);
 
         request.getSession().removeAttribute(DISCOVERY_INFO_KEY);

openid/src/test/java/org/springframework/security/openid/OpenID4JavaConsumerTests.java

@@ -189,6 +189,11 @@ public class OpenID4JavaConsumerTests {
         consumer.fetchAxAttributes(msg, attributes);
     }
 
+    @Test(expected=OpenIDConsumerException.class)
+    public void missingDiscoveryInformationThrowsException() throws Exception {
+        OpenID4JavaConsumer consumer = new OpenID4JavaConsumer(new NullAxFetchListFactory());
+        consumer.endConsumption(new MockHttpServletRequest());
+    }
 
     @SuppressWarnings("deprecation")
     @Test