Home Explore Help
Register Sign In
github
/
spring-security
mirror of https://github.com/spring-projects/spring-security
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

SEC-1753: Cater for missing DiscoveryInformation object in OpenID4JavaConsumer.endConsumption.

Rob Winch 13 years ago
parent
5c4f4cbe4d
commit
d50184deda
2 changed files with 34 additions and 0 deletions
Unified View Show Diff Stats
  1. 5 0
      openid/src/main/java/org/springframework/security/openid/OpenID4JavaConsumer.java
  2. 29 0
      openid/src/test/java/org/springframework/security/openid/OpenID4JavaConsumerTests.java

+ 5 - 0
openid/src/main/java/org/springframework/security/openid/OpenID4JavaConsumer.java
View File 

@@ -41,6 +41,7 @@ import org.openid4java.message.ax.FetchResponse;
 
 
 
 /**
 
 /**
 
  * @author Ray Krueger
 
  * @author Ray Krueger
 
+ * @author Rob Winch
 
  */
 
  */
 
 public class OpenID4JavaConsumer implements OpenIDConsumer {
 
 public class OpenID4JavaConsumer implements OpenIDConsumer {
 
     private static final String DISCOVERY_INFO_KEY = DiscoveryInformation.class.getName();
 
     private static final String DISCOVERY_INFO_KEY = DiscoveryInformation.class.getName();
 
@@ -114,6 +115,10 @@ public class OpenID4JavaConsumer implements OpenIDConsumer {
 
         // retrieve the previously stored discovery information
 
         // retrieve the previously stored discovery information
 
         DiscoveryInformation discovered = (DiscoveryInformation) request.getSession().getAttribute(DISCOVERY_INFO_KEY);
 
         DiscoveryInformation discovered = (DiscoveryInformation) request.getSession().getAttribute(DISCOVERY_INFO_KEY);
 
 
 
+        if (discovered == null) {
 
+            throw new OpenIDConsumerException("DiscoveryInformation is not available. Possible causes are lost session or replay attack");
 
+        }
 
+
 
         // extract the receiving URL from the HTTP request
 
         // extract the receiving URL from the HTTP request
 
         StringBuffer receivingURL = request.getRequestURL();
 
         StringBuffer receivingURL = request.getRequestURL();
 
         String queryString = request.getQueryString();
 
         String queryString = request.getQueryString();

+ 29 - 0
openid/src/test/java/org/springframework/security/openid/OpenID4JavaConsumerTests.java
View File 

@@ -0,0 +1,29 @@
 
+/*
 
+ * Copyright 2002-2012 the original author or authors.
 
+ *
 
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
 
+ * the License. You may obtain a copy of the License at
 
+ *
 
+ * http://www.apache.org/licenses/LICENSE-2.0
 
+ *
 
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
 
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 
+ * specific language governing permissions and limitations under the License.
 
+ */
 
+package org.springframework.security.openid;
 
+
 
+import org.junit.Test;
 
+import org.springframework.mock.web.MockHttpServletRequest;
 
+
 
+/**
 
+ * @author Luke Taylor
 
+ * @author Rob Winch
 
+ */
 
+public class OpenID4JavaConsumerTests {
 
+
 
+    @Test(expected=OpenIDConsumerException.class)
 
+    public void missingDiscoveryInformationThrowsException() throws Exception {
 
+        OpenID4JavaConsumer consumer = new OpenID4JavaConsumer();
 
+        consumer.endConsumption(new MockHttpServletRequest());
 
+    }
 
+}