Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Commits on Sep 19, 2012
  1. @pk11

    upgrade publishing hosts

    pk11 authored
Commits on Sep 18, 2012
  1. @jroper
Commits on Sep 12, 2012
  1. @guillaumebort
  2. @erwan

    [#655] Update AHC to 1.7.6

    erwan authored
Commits on Sep 10, 2012
  1. @guillaumebort

    Merge pull request #446 from juretta/discovery-spec-fix

    guillaumebort authored
    Update the DiscoverySpec to work properly in Spec2 examples that are executed concurrently
  2. @juretta

    Update the DiscoverySpec to work properly in Spec2 examples that are …

    juretta authored
    …executed concurrently
    
    Specs2 examples are by default executed concurrently. Change the readFixture
    method to be synchronized and don't share mock instances across examples
    (otherwise exceptions like WrongTypeOfReturnValue could be thrown during test
    executions).
    
    Alternatively the Specification coud be configured to run "sequentially" but
    that feels like a very heavy handed solution.
  3. @juretta

    Revert "Some specs fail randomly – Comment for now"

    juretta authored
    This reverts commit 410c3b6.
  4. @guillaumebort
  5. @guillaumebort

    Merge pull request #443 from juretta/2.0.x-OpenID-Google-Account-Fix

    guillaumebort authored
    OpenID for Google accounts fix
Commits on Sep 7, 2012
  1. @juretta

    Remove unused fixture file

    juretta authored
  2. @juretta
  3. @juretta

    Fix XRDS parsing for the Google account XRDS response

    juretta authored
    The XRDS resolver didn't cope with multiple <Type/> elements in a <Service/>
    element. Change findUriWithType to find the Service if one of the <Type/>
    child elements matches.
  4. @juretta
Commits on Aug 30, 2012
  1. @jroper

    Fixed potential timing attack

    jroper authored
  2. @jroper

    Merge pull request #417 from juretta/2.0.x-openid-with-tests

    jroper authored
    Fix the security vulnerability reported in #661 and add tests for OpenID
Commits on Aug 14, 2012
  1. @juretta

    Give a meaningful error if the user cancelled the authentication requ…

    juretta authored
    …est (openid.mode -> cancel)
  2. @juretta

    Backport to the 2.0.x branch

    juretta authored
  3. @juretta
  4. @juretta

    Direct verifiction MUST use discovery on the claimedId.

    juretta authored
    Remove the usage of the openid.op_endpoint query string parameter.
    
    Explanation:
    
    For the verification part Play's OpenID library is using "Direct verification"
    (http://openid.net/specs/openid-authentication-2_0.html#check_auth
    - 11.4.2. Verifying Directly with the OpenID Provider) and basically asks the
    OP if the response is valid.
    
    Only if the OP verifies the incoming data the UserInfo will be
    populated with the information from the OP (e.g. OpenID and
    potentially extended attributes like email, names).
    
    Discovery (to discover the correct OP
    endpoint to use) MUST happen on the claimed Id. See (11.2):
    http://openid.net/specs/openid-authentication-2_0.html#verify_disco
    "the Relying Party MUST perform discovery on the Claimed Identifier in
    the response to make sure that the OP is authorized to make assertions
    about the Claimed Identifier."
    
    This change removes the usage of the openid.op_endpoint query string param as
    that can easily be changed (a URL that returns 200 OK with a body of
    "is_valid:true\n" is sufficient) which would allow an attacker to "verify" any
    information contained in the verification payload.
  5. @juretta
  6. @juretta

    Fix failing redirect test

    juretta authored
  7. @juretta
  8. @juretta

    Code cleanup/organize imports.

    juretta authored
  9. @juretta
  10. @juretta

    Add basic spec for the verification step, add more tests

    juretta authored juretta committed
  11. @juretta
  12. @juretta

    Make OpenID testable, extract the Discovery and make it work against …

    juretta authored
    …most of the normalization examples
  13. @juretta
Commits on Aug 8, 2012
  1. @pk11

    Merge pull request #411 from jamesward/ignore-more-files-in-skeletons

    pk11 authored
    Add more ignored files to the skeletons
Commits on Aug 7, 2012
  1. @pk11

    Merge pull request #410 from jamesward/add-date-header-to-304-response

    pk11 authored
    Add a Date header to 304 responses
  2. @jamesward
  3. @jamesward

    Add a Date header to 304 responses

    jamesward authored
    This change adds a Date header to 304 responses and fixes an issue with CloudFront getting stuck in a RefreshHit cycle after hitting the TTL.
    
    More information about why the Date header is required on 304 responses can be found at:
    http://stackoverflow.com/questions/1587667/should-http-304-not-modified-responses-contain-cache-control-headers
    
    Also, since a Date header should always be returned (not just for requests that have a Last-Modified header) the Date header is now set when a 200 response is constructed.
    
    The FunctionalSpec has been added to test for the Date header on a 304 response.
Commits on Jul 20, 2012
  1. @pk11
  2. @nraychaudhuri @pk11

    session.httpOnly is now configurable

    nraychaudhuri authored pk11 committed
  3. @pk11

    backporting [lh 511] [fixes #315] adding a cookie twice to a result d…

    pk11 authored
    …oesn't override cookie value
Something went wrong with that request. Please try again.