github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

cleaned up logic on user info interceptor to fix detection of redirects

pull/819/merge
Justin Richer 10 years ago
parent
fe6d2f8a6e
commit
cbf6316050
2 changed files with 46 additions and 35 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 45
      openid-connect-common/src/main/java/org/mitre/openid/connect/web/UserInfoInterceptor.java
  2. 4
      openid-connect-server/src/main/java/org/mitre/openid/connect/filter/AuthorizationRequestFilter.java

45
openid-connect-common/src/main/java/org/mitre/openid/connect/web/UserInfoInterceptor.java
Unescape View File

@ -20,7 +20,6 @@
package org.mitre.openid.connect.web;
import java.lang.reflect.Type;
import java.security.Principal;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@ -31,10 +30,13 @@ import org.mitre.openid.connect.service.UserInfoService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
import org.springframework.web.servlet.view.RedirectView;
import org.springframework.web.servlet.view.UrlBasedViewResolver;
import com.google.common.base.Strings;
import com.google.gson.Gson;
import com.google.gson.GsonBuilder;
import com.google.gson.JsonElement;
@ -69,19 +71,36 @@ public class UserInfoInterceptor extends HandlerInterceptorAdapter {
// or if there's already a userInfo object in there
// TODO: this is a patch to get around a potential information leak from #492
if (!(modelAndView.getView() instanceof RedirectView)) {
// get our principal from the security context
Principal p = request.getUserPrincipal();
if (modelAndView.getView() instanceof RedirectView) {
// don't add them
} else {
if (Strings.isNullOrEmpty(modelAndView.getViewName())) {
// add them
injectUserInfo(modelAndView);
} else {
if (modelAndView.getViewName().startsWith(UrlBasedViewResolver.FORWARD_URL_PREFIX) ||
modelAndView.getViewName().startsWith(UrlBasedViewResolver.REDIRECT_URL_PREFIX)) {
// don't add them
} else {
// add them
injectUserInfo(modelAndView);
}
}
}
}
}
if (p instanceof Authentication && !modelAndView.getModel().containsKey("userAuthorities")){
Authentication auth = (Authentication)p;
private void injectUserInfo(ModelAndView modelAndView) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (auth instanceof Authentication && !modelAndView.getModel().containsKey("userAuthorities")){
modelAndView.addObject("userAuthorities", gson.toJson(auth.getAuthorities()));
}
if (p instanceof OIDCAuthenticationToken) {
if (auth instanceof OIDCAuthenticationToken) {
// if they're logging into this server from a remote OIDC server, pass through their user info
OIDCAuthenticationToken oidc = (OIDCAuthenticationToken) p;
OIDCAuthenticationToken oidc = (OIDCAuthenticationToken) auth;
if (oidc.getUserInfo() != null) {
modelAndView.addObject("userInfo", oidc.getUserInfo());
modelAndView.addObject("userInfoJson", oidc.getUserInfo().toJson());
@ -91,10 +110,10 @@ public class UserInfoInterceptor extends HandlerInterceptorAdapter {
}
} else {
// don't bother checking if we don't have a principal or a userInfoService to work with
if (p != null && p.getName() != null && userInfoService != null) {
if (auth != null && auth.getName() != null && userInfoService != null) {
// try to look up a user based on the principal's name
UserInfo user = userInfoService.getByUsername(p.getName());
UserInfo user = userInfoService.getByUsername(auth.getName());
// if we have one, inject it so views can use it
if (user != null) {
@ -104,11 +123,5 @@ public class UserInfoInterceptor extends HandlerInterceptorAdapter {
}
}
}
}
}
}

4
openid-connect-server/src/main/java/org/mitre/openid/connect/filter/AuthorizationRequestFilter.java
Unescape View File

@ -128,7 +128,6 @@ public class AuthorizationRequestFilter extends GenericFilterBean {
List<String> prompts = Splitter.on(PROMPT_SEPARATOR).splitToList(Strings.nullToEmpty(prompt));
if (prompts.contains(PROMPT_NONE)) {
logger.info("Client requested no prompt");
// see if the user's logged in
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
@ -137,9 +136,8 @@ public class AuthorizationRequestFilter extends GenericFilterBean {
// we're OK, continue without prompting
chain.doFilter(req, res);
} else {
logger.info("Client requested no prompt");
// user hasn't been logged in, we need to "return an error"
logger.info("User not logged in, no prompt requested, returning error from filter");
if (client != null && authRequest.getRedirectUri() != null) {
// if we've got a redirect URI then we'll send it

Write Preview
Loading…
Cancel
Save