github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

interceptor shouldn't ever overwrite stuff from the base model

pull/650/head
Justin Richer 2013-09-10 15:27:04 -04:00
parent d83af13ae3
commit aa2ec7ce0d
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
openid-connect-common/src/main/java/org/mitre/openid/connect/web/UserInfoInterceptor.java
View File

@ -65,7 +65,8 @@ public class UserInfoInterceptor extends HandlerInterceptorAdapter {
@Override
public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
if (modelAndView != null) { // skip checking at all if we have no model and view to hand the user to
if (modelAndView != null && !modelAndView.getModel().containsKey("userInfo")) { // skip checking at all if we have no model and view to hand the user to
// or if there's already a userInfo object in there
// TODO: this is a patch to get around a potential information leak from #492
if (!(modelAndView.getView() instanceof RedirectView)) {
@ -73,7 +74,7 @@ public class UserInfoInterceptor extends HandlerInterceptorAdapter {
// get our principal from the security context
Principal p = request.getUserPrincipal();
if (p instanceof Authentication){
if (p instanceof Authentication && !modelAndView.getModel().containsKey("userAuthorities")){
Authentication auth = (Authentication)p;
modelAndView.addObject("userAuthorities", gson.toJson(auth.getAuthorities()));
}