[Yanel-commits] rev 30810 -
public/yanel/trunk/src/webapp/src/java/org/wyona/yanel/servlet/security/impl
michi at wyona.com
michi at wyona.com
Sat Jan 26 23:26:21 CET 2008
Author: michi
Date: 2008-01-26 23:26:20 +0100 (Sat, 26 Jan 2008)
New Revision: 30810
Modified:
public/yanel/trunk/src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java
Log:
config parameter added to prevent an OpenID user creation attack
Modified: public/yanel/trunk/src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java
===================================================================
--- public/yanel/trunk/src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java 2008-01-26 22:25:39 UTC (rev 30809)
+++ public/yanel/trunk/src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java 2008-01-26 22:26:20 UTC (rev 30810)
@@ -56,12 +56,16 @@
// NOTE: The OpenID consumer manager needs to be the same instance for redirect to provider and provider verification
private ConsumerManager manager;
+ private boolean allowOpenIdUserCreation;
/**
*
*/
public void init(org.w3c.dom.Document configuration, javax.xml.transform.URIResolver resolver) throws Exception {
manager = new ConsumerManager();
+
+ // TODO: Make this configurable in order to prevent OpenID user creation attack
+ allowOpenIdUserCreation = true;
}
/**
@@ -129,16 +133,18 @@
UserManager uManager = realm.getIdentityManager().getUserManager();
String openIdentity = request.getParameter("openid.identity");
if (openIdentity != null) {
- if (!uManager.existsUser(openIdentity)) {
+ if (!uManager.existsUser(openIdentity) && allowOpenIdUserCreation) {
uManager.createUser(openIdentity, null, null, null);
log.warn("An OpenID user has been created: " + openIdentity);
}
User user = uManager.getUser(openIdentity);
+ //User user = uManager.getUser(openIdentity, true);
IdentityMap identityMap = (IdentityMap)request.getSession(true).getAttribute(YanelServlet.IDENTITY_MAP_KEY);
if (identityMap == null) {
identityMap = new IdentityMap();
request.getSession().setAttribute(YanelServlet.IDENTITY_MAP_KEY, identityMap);
}
+ log.debug("User: " + user.getID());
identityMap.put(realm.getID(), new Identity(user));
// OpenID authentication successful, hence return null instead an "exceptional" response
// TODO: Do not return null (although successful), but rather strip-off all the openid query string stuff and then do a redirect
More information about the Yanel-commits
mailing list