Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1753: Replay of response causes NullPointerException in OpenID4JavaConsumer #1988

spring-issuemaster opened this Issue May 25, 2011 · 3 comments


None yet
1 participant

Simo Nikula (Migrated from SEC-1753) said:

discovered may be null which causes NullPointerException

    // retrieve the previously stored discovery information
    DiscoveryInformation discovered = (DiscoveryInformation) request.getSession().getAttribute(DISCOVERY_INFO_KEY);
    List<OpenIDAttribute> attributesToFetch = (List<OpenIDAttribute>) request.getSession().getAttribute(ATTRIBUTE_LIST_KEY);


Identifier id = discovered.getClaimedIdentifier();

Luke Taylor said:

Could you clarify the steps which lead to this behaviour please.

Simo Nikula said:

This case happens during hacking/cracking attempt (thats why it is minor).
I was comparing openid packages and checked how they handle case where response from OpenID Provider is replayed.
Security is ok in above implementation as data is removed from session after it has been used but diagnostics from NullPointerException is not too good.

You may have better idea but something like
throw new OpenIDConsumerException("DiscoveryInformation is not available, Possible causes are e.g. lost session or replay attack");

Other option that I prefer would be not to remove DiscoveryInformation from session but let ConsumerManager._nonceVerifier.seen() report possible attack

Luke Taylor said:

OK, I've added a check for the missing DiscoveryInformation as you suggest. If you want to retain the DiscoveryInformation in the session for the duration you can override the endConsumption method and put it back after calling super.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.RC3 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment