Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1701: OpenId identifier should be trimmed #1937

spring-issuemaster opened this Issue Mar 25, 2011 · 2 comments


None yet
1 participant

Ingo (Migrated from SEC-1701) said:

The authentication fails if a user copy&pastes his OpenId identity and it includes a white sprace at the end.
An additional space is often append by copy it from hmtl pages or emails.

I've got this problem with 3.0.4, but I'm sure all other versions are also affected.

Fix would look like this at OpenIDAuthenticationFilter.attemptAuthentication():

String identity = request.getParameter("openid.identity");
if (!StringUtils.hasText(identity)) {
identity = identity.trim(); // FIX
String claimedIdentity = obtainUsername(request);

org.springframework.security.authentication.AuthenticationServiceException: Unable to process claimed identity 'http://alice-franz.myopenid.com/ '
at org.springframework.security.openid.OpenIDAuthenticationFilter.attemptAuthentication(OpenIDAuthenticationFilter.java:143) ~[org.springframework.security.openid_3.0.4.RELEASE.jar:3.0.4.RELEASE]

Luke Taylor said:

Thanks for report. Note thatyour fix would throw a NPE :). So I've trimmed the return value from the obtainUsername() method instead.

Ingo said:

Thank you Luke. :-)

@spring-issuemaster spring-issuemaster added this to the 3.1.0.RC2 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment