Permalink
Browse files

add note for why mode parameter is not signed

git-svn-id: file:///Users/willnorris/Projects/svn-import/java-openid/trunk@100 eae3f9c0-6542-46b9-8785-326aab784c2f
  • Loading branch information...
1 parent 2a3f0bf commit 15ff878c1aff30dcdd8bff152555426324257772 @willnorris committed Nov 14, 2009
Showing with 2 additions and 0 deletions.
  1. +2 −0 src/main/java/edu/internet2/middleware/openid/security/SecurityUtils.java
@@ -113,6 +113,8 @@ public static boolean signatureIsValid(SignableMessage message, Association asso
/**
* Build default list of parameters that should be signed from a given parameter map. This will include all message
* parameters and namespace declarations with the exception of signature related parameters and the mode parameter.
+ * The mode parameter is not signed because it would break the signatures on verify requests, since they have a
+ * different mode than the positive assertion message they are verifying.
*
* @param parameters parameter map to build signed parameter list for
* @return list of parameter names that should be signed

0 comments on commit 15ff878

Please sign in to comment.