Permalink
Commits on Sep 26, 2012
Commits on Sep 25, 2012
  1. backport: Add commons-lang3 instead of commons-lang, since commons-la…

    …ng escapes non-ASCII characters
    kzys committed with pk11 May 6, 2012
Commits on Sep 24, 2012
  1. [#655] Check SLL certificates

    erwan committed Sep 24, 2012
Commits on Sep 19, 2012
  1. upgrade publishing hosts

    pk11 committed Sep 19, 2012
Commits on Sep 18, 2012
Commits on Sep 12, 2012
  1. [#655] Update AHC to 1.7.6

    erwan committed Sep 12, 2012
Commits on Sep 10, 2012
  1. Merge pull request #446 from juretta/discovery-spec-fix

    Update the DiscoverySpec to work properly in Spec2 examples that are executed concurrently
    guillaumebort committed Sep 10, 2012
  2. Update the DiscoverySpec to work properly in Spec2 examples that are …

    …executed concurrently
    
    Specs2 examples are by default executed concurrently. Change the readFixture
    method to be synchronized and don't share mock instances across examples
    (otherwise exceptions like WrongTypeOfReturnValue could be thrown during test
    executions).
    
    Alternatively the Specification coud be configured to run "sequentially" but
    that feels like a very heavy handed solution.
    juretta committed Sep 10, 2012
  3. Revert "Some specs fail randomly – Comment for now"

    This reverts commit 410c3b6.
    juretta committed Sep 10, 2012
  4. Merge pull request #443 from juretta/2.0.x-OpenID-Google-Account-Fix

    OpenID for Google accounts fix
    guillaumebort committed Sep 10, 2012
Commits on Sep 7, 2012
  1. Remove unused fixture file

    juretta committed Sep 7, 2012
  2. Fix XRDS parsing for the Google account XRDS response

    The XRDS resolver didn't cope with multiple <Type/> elements in a <Service/>
    element. Change findUriWithType to find the Service if one of the <Type/>
    child elements matches.
    juretta committed Sep 7, 2012
Commits on Aug 30, 2012
  1. Fixed potential timing attack

    jroper committed Aug 30, 2012
  2. Merge pull request #417 from juretta/2.0.x-openid-with-tests

    Fix the security vulnerability reported in #661 and add tests for OpenID
    jroper committed Aug 30, 2012
Commits on Aug 14, 2012
  1. Give a meaningful error if the user cancelled the authentication requ…

    …est (openid.mode -> cancel)
    juretta committed Aug 14, 2012
  2. Backport to the 2.0.x branch

    juretta committed Aug 14, 2012
  3. Direct verifiction MUST use discovery on the claimedId.

    Remove the usage of the openid.op_endpoint query string parameter.
    
    Explanation:
    
    For the verification part Play's OpenID library is using "Direct verification"
    (http://openid.net/specs/openid-authentication-2_0.html#check_auth
    - 11.4.2. Verifying Directly with the OpenID Provider) and basically asks the
    OP if the response is valid.
    
    Only if the OP verifies the incoming data the UserInfo will be
    populated with the information from the OP (e.g. OpenID and
    potentially extended attributes like email, names).
    
    Discovery (to discover the correct OP
    endpoint to use) MUST happen on the claimed Id. See (11.2):
    http://openid.net/specs/openid-authentication-2_0.html#verify_disco
    "the Relying Party MUST perform discovery on the Claimed Identifier in
    the response to make sure that the OP is authorized to make assertions
    about the Claimed Identifier."
    
    This change removes the usage of the openid.op_endpoint query string param as
    that can easily be changed (a URL that returns 200 OK with a body of
    "is_valid:true\n" is sufficient) which would allow an attacker to "verify" any
    information contained in the verification payload.
    juretta committed Aug 14, 2012
  4. Fix failing redirect test

    juretta committed Aug 14, 2012
  5. Code cleanup/organize imports.

    juretta committed Jun 16, 2012
  6. Make OpenID testable, extract the Discovery and make it work against …

    …most of the normalization examples
    juretta committed Jun 1, 2012
Commits on Aug 8, 2012
  1. Merge pull request #411 from jamesward/ignore-more-files-in-skeletons

    Add more ignored files to the skeletons
    pk11 committed Aug 8, 2012
Commits on Aug 7, 2012
  1. Merge pull request #410 from jamesward/add-date-header-to-304-response

    Add a Date header to 304 responses
    pk11 committed Aug 7, 2012