From aa2ec7ce0d9eafea0407aa5a1733816c8c99897a Mon Sep 17 00:00:00 2001 From: Justin Richer Date: Tue, 10 Sep 2013 15:27:04 -0400 Subject: [PATCH] interceptor shouldn't ever overwrite stuff from the base model --- .../org/mitre/openid/connect/web/UserInfoInterceptor.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/web/UserInfoInterceptor.java b/openid-connect-common/src/main/java/org/mitre/openid/connect/web/UserInfoInterceptor.java index 2e1757714..2ee3b5aec 100644 --- a/openid-connect-common/src/main/java/org/mitre/openid/connect/web/UserInfoInterceptor.java +++ b/openid-connect-common/src/main/java/org/mitre/openid/connect/web/UserInfoInterceptor.java @@ -65,7 +65,8 @@ public class UserInfoInterceptor extends HandlerInterceptorAdapter { @Override public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception { - if (modelAndView != null) { // skip checking at all if we have no model and view to hand the user to + if (modelAndView != null && !modelAndView.getModel().containsKey("userInfo")) { // skip checking at all if we have no model and view to hand the user to + // or if there's already a userInfo object in there // TODO: this is a patch to get around a potential information leak from #492 if (!(modelAndView.getView() instanceof RedirectView)) { @@ -73,7 +74,7 @@ public class UserInfoInterceptor extends HandlerInterceptorAdapter { // get our principal from the security context Principal p = request.getUserPrincipal(); - if (p instanceof Authentication){ + if (p instanceof Authentication && !modelAndView.getModel().containsKey("userAuthorities")){ Authentication auth = (Authentication)p; modelAndView.addObject("userAuthorities", gson.toJson(auth.getAuthorities())); }