Permalink
Commits on Sep 19, 2012
  1. upgrade publishing hosts

    pk11 committed Sep 19, 2012
Commits on Sep 18, 2012
Commits on Sep 12, 2012
  1. [#655] Update AHC to 1.7.6

    erwan committed Sep 12, 2012
Commits on Sep 10, 2012
  1. Merge pull request #446 from juretta/discovery-spec-fix

    guillaumebort committed Sep 10, 2012
    Update the DiscoverySpec to work properly in Spec2 examples that are executed concurrently
  2. Update the DiscoverySpec to work properly in Spec2 examples that are …

    juretta committed Sep 10, 2012
    …executed concurrently
    
    Specs2 examples are by default executed concurrently. Change the readFixture
    method to be synchronized and don't share mock instances across examples
    (otherwise exceptions like WrongTypeOfReturnValue could be thrown during test
    executions).
    
    Alternatively the Specification coud be configured to run "sequentially" but
    that feels like a very heavy handed solution.
  3. Revert "Some specs fail randomly – Comment for now"

    juretta committed Sep 10, 2012
    This reverts commit 410c3b6.
  4. Merge pull request #443 from juretta/2.0.x-OpenID-Google-Account-Fix

    guillaumebort committed Sep 10, 2012
    OpenID for Google accounts fix
Commits on Sep 7, 2012
  1. Remove unused fixture file

    juretta committed Sep 7, 2012
  2. Fix XRDS parsing for the Google account XRDS response

    juretta committed Sep 7, 2012
    The XRDS resolver didn't cope with multiple <Type/> elements in a <Service/>
    element. Change findUriWithType to find the Service if one of the <Type/>
    child elements matches.
Commits on Aug 30, 2012
  1. Fixed potential timing attack

    jroper committed Aug 30, 2012
  2. Merge pull request #417 from juretta/2.0.x-openid-with-tests

    jroper committed Aug 30, 2012
    Fix the security vulnerability reported in #661 and add tests for OpenID
Commits on Aug 14, 2012
  1. Give a meaningful error if the user cancelled the authentication requ…

    juretta committed Aug 14, 2012
    …est (openid.mode -> cancel)
  2. Backport to the 2.0.x branch

    juretta committed Aug 14, 2012
  3. Direct verifiction MUST use discovery on the claimedId.

    juretta committed Aug 14, 2012
    Remove the usage of the openid.op_endpoint query string parameter.
    
    Explanation:
    
    For the verification part Play's OpenID library is using "Direct verification"
    (http://openid.net/specs/openid-authentication-2_0.html#check_auth
    - 11.4.2. Verifying Directly with the OpenID Provider) and basically asks the
    OP if the response is valid.
    
    Only if the OP verifies the incoming data the UserInfo will be
    populated with the information from the OP (e.g. OpenID and
    potentially extended attributes like email, names).
    
    Discovery (to discover the correct OP
    endpoint to use) MUST happen on the claimed Id. See (11.2):
    http://openid.net/specs/openid-authentication-2_0.html#verify_disco
    "the Relying Party MUST perform discovery on the Claimed Identifier in
    the response to make sure that the OP is authorized to make assertions
    about the Claimed Identifier."
    
    This change removes the usage of the openid.op_endpoint query string param as
    that can easily be changed (a URL that returns 200 OK with a body of
    "is_valid:true\n" is sufficient) which would allow an attacker to "verify" any
    information contained in the verification payload.
  4. Fix failing redirect test

    juretta committed Aug 14, 2012
  5. Make OpenID testable, extract the Discovery and make it work against …

    juretta committed Jun 1, 2012
    …most of the normalization examples
Commits on Aug 8, 2012
  1. Merge pull request #411 from jamesward/ignore-more-files-in-skeletons

    pk11 committed Aug 8, 2012
    Add more ignored files to the skeletons
Commits on Aug 7, 2012
  1. Merge pull request #410 from jamesward/add-date-header-to-304-response

    pk11 committed Aug 7, 2012
    Add a Date header to 304 responses
  2. Add a Date header to 304 responses

    jamesward committed Aug 7, 2012
    This change adds a Date header to 304 responses and fixes an issue with CloudFront getting stuck in a RefreshHit cycle after hitting the TTL.
    
    More information about why the Date header is required on 304 responses can be found at:
    http://stackoverflow.com/questions/1587667/should-http-304-not-modified-responses-contain-cache-control-headers
    
    Also, since a Date header should always be returned (not just for requests that have a Last-Modified header) the Date header is now set when a 200 response is constructed.
    
    The FunctionalSpec has been added to test for the Date header on a 304 response.
Commits on Jul 20, 2012
  1. session.httpOnly is now configurable

    nraychaudhuri authored and pk11 committed May 16, 2012
  2. backporting [lh 511] [fixes #315] adding a cookie twice to a result d…

    pk11 committed Jul 2, 2012
    …oesn't override cookie value