github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

stopgap to prevent some leaks due to #492

pull/516/head
Justin Richer 2013-08-30 16:37:52 -04:00
parent bdbff8d45c
commit 0a962e17fa
1 changed files with 29 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
openid-connect-common/src/main/java/org/mitre/openid/connect/web/UserInfoInterceptor.java
View File

@ -33,6 +33,7 @@ import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.GrantedAuthority;
import org.springframework.web.servlet.ModelAndView; import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter; import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
import org.springframework.web.servlet.view.RedirectView;
import com.google.gson.Gson; import com.google.gson.Gson;
import com.google.gson.GsonBuilder; import com.google.gson.GsonBuilder;
@ -65,31 +66,36 @@ public class UserInfoInterceptor extends HandlerInterceptorAdapter {
public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception { public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
if (modelAndView != null) { // skip checking at all if we have no model and view to hand the user to if (modelAndView != null) { // skip checking at all if we have no model and view to hand the user to
// get our principal from the security context
Principal p = request.getUserPrincipal();
if (p instanceof Authentication){ // TODO: this is a patch to get around a potential information leak from #492
Authentication auth = (Authentication)p; if (!(modelAndView.getView() instanceof RedirectView)) {
modelAndView.addObject("userAuthorities", gson.toJson(auth.getAuthorities()));
}
if (p instanceof OIDCAuthenticationToken) { // get our principal from the security context
// if they're logging into this server from a remote OIDC server, pass through their user info Principal p = request.getUserPrincipal();
OIDCAuthenticationToken oidc = (OIDCAuthenticationToken) p;
modelAndView.addObject("userInfo", oidc.getUserInfo());
// TODO: this should use the same serializer as UserInfoView (#488)
modelAndView.addObject("userInfoJson", gson.toJson(oidc.getUserInfo()));
} else {
if (p != null && p.getName() != null) { // don't bother checking if we don't have a principal
// try to look up a user based on the principal's name if (p instanceof Authentication){
UserInfo user = userInfoService.getBySubject(p.getName()); Authentication auth = (Authentication)p;
modelAndView.addObject("userAuthorities", gson.toJson(auth.getAuthorities()));
}
// if we have one, inject it so views can use it if (p instanceof OIDCAuthenticationToken) {
if (user != null) { // if they're logging into this server from a remote OIDC server, pass through their user info
modelAndView.addObject("userInfo", user); OIDCAuthenticationToken oidc = (OIDCAuthenticationToken) p;
// TODO: this should use the same serializer as UserInfoView (#488) modelAndView.addObject("userInfo", oidc.getUserInfo());
modelAndView.addObject("userInfoJson", gson.toJson(user)); // TODO: this should use the same serializer as UserInfoView (#488)
modelAndView.addObject("userInfoJson", gson.toJson(oidc.getUserInfo()));
} else {
if (p != null && p.getName() != null) { // don't bother checking if we don't have a principal
// try to look up a user based on the principal's name
UserInfo user = userInfoService.getBySubject(p.getName());
// if we have one, inject it so views can use it
if (user != null) {
modelAndView.addObject("userInfo", user);
// TODO: this should use the same serializer as UserInfoView (#488)
modelAndView.addObject("userInfoJson", gson.toJson(user));
}
} }
} }
} }