SEC-1701: OpenId identifier should be trimmed #1937

Closed
spring-issuemaster opened this Issue Mar 25, 2011 · 2 comments

1 participant

@spring-issuemaster

Ingo (Migrated from SEC-1701) said:

The authentication fails if a user copy&pastes his OpenId identity and it includes a white sprace at the end.
An additional space is often append by copy it from hmtl pages or emails.

I've got this problem with 3.0.4, but I'm sure all other versions are also affected.

Fix would look like this at OpenIDAuthenticationFilter.attemptAuthentication():

String identity = request.getParameter("openid.identity");
if (!StringUtils.hasText(identity)) {
identity = identity.trim(); // FIX
String claimedIdentity = obtainUsername(request);

Stracktrace:
org.springframework.security.authentication.AuthenticationServiceException: Unable to process claimed identity 'http://alice-franz.myopenid.com/ '
at org.springframework.security.openid.OpenIDAuthenticationFilter.attemptAuthentication(OpenIDAuthenticationFilter.java:143) ~[org.springframework.security.openid_3.0.4.RELEASE.jar:3.0.4.RELEASE]

@spring-issuemaster

Luke Taylor said:

Thanks for report. Note thatyour fix would throw a NPE :). So I've trimmed the return value from the obtainUsername() method instead.

@spring-issuemaster

Ingo said:

Thank you Luke. :-)

@spring-issuemaster spring-issuemaster added this to the 3.1.0.RC2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment