…executed concurrently Specs2 examples are by default executed concurrently. Change the readFixture method to be synchronized and don't share mock instances across examples (otherwise exceptions like WrongTypeOfReturnValue could be thrown during test executions). Alternatively the Specification coud be configured to run "sequentially" but that feels like a very heavy handed solution.
This reverts commit 410c3b6.
The XRDS resolver didn't cope with multiple <Type/> elements in a <Service/> element. Change findUriWithType to find the Service if one of the <Type/> child elements matches.
…est (openid.mode -> cancel)
Remove the usage of the openid.op_endpoint query string parameter. Explanation: For the verification part Play's OpenID library is using "Direct verification" (http://openid.net/specs/openid-authentication-2_0.html#check_auth - 11.4.2. Verifying Directly with the OpenID Provider) and basically asks the OP if the response is valid. Only if the OP verifies the incoming data the UserInfo will be populated with the information from the OP (e.g. OpenID and potentially extended attributes like email, names). Discovery (to discover the correct OP endpoint to use) MUST happen on the claimed Id. See (11.2): http://openid.net/specs/openid-authentication-2_0.html#verify_disco "the Relying Party MUST perform discovery on the Claimed Identifier in the response to make sure that the OP is authorized to make assertions about the Claimed Identifier." This change removes the usage of the openid.op_endpoint query string param as that can easily be changed (a URL that returns 200 OK with a body of "is_valid:true\n" is sufficient) which would allow an attacker to "verify" any information contained in the verification payload.
…most of the normalization examples
This change adds a Date header to 304 responses and fixes an issue with CloudFront getting stuck in a RefreshHit cycle after hitting the TTL. More information about why the Date header is required on 304 responses can be found at: http://stackoverflow.com/questions/1587667/should-http-304-not-modified-responses-contain-cache-control-headers Also, since a Date header should always be returned (not just for requests that have a Last-Modified header) the Date header is now set when a 200 response is constructed. The FunctionalSpec has been added to test for the Date header on a 304 response.