[Yanel-commits] rev 30810 - public/yanel/trunk/src/webapp/src/java/org/wyona/yanel/servlet/security/impl

michi at wyona.com michi at wyona.com
Sat Jan 26 23:26:21 CET 2008 

Author: michi
Date: 2008-01-26 23:26:20 +0100 (Sat, 26 Jan 2008)
New Revision: 30810

Modified:
   public/yanel/trunk/src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java
Log:
config parameter added to prevent an OpenID user creation attack

Modified: public/yanel/trunk/src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java
===================================================================
--- public/yanel/trunk/src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java	2008-01-26 22:25:39 UTC (rev 30809)
+++ public/yanel/trunk/src/webapp/src/java/org/wyona/yanel/servlet/security/impl/DefaultWebAuthenticatorImpl.java	2008-01-26 22:26:20 UTC (rev 30810)
@@ -56,12 +56,16 @@
 
     // NOTE: The OpenID consumer manager needs to be the same instance for redirect to provider and provider verification
     private ConsumerManager manager;
+    private boolean allowOpenIdUserCreation;
 
     /**
      *
      */
     public void init(org.w3c.dom.Document configuration, javax.xml.transform.URIResolver resolver) throws Exception {
         manager = new ConsumerManager();
+
+        // TODO: Make this configurable in order to prevent OpenID user creation attack
+        allowOpenIdUserCreation = true;
     }
 
     /**
@@ -129,16 +133,18 @@
                     UserManager uManager = realm.getIdentityManager().getUserManager();
                     String openIdentity = request.getParameter("openid.identity");
                     if (openIdentity != null) {
-                        if (!uManager.existsUser(openIdentity)) {
+                        if (!uManager.existsUser(openIdentity) && allowOpenIdUserCreation) {
                             uManager.createUser(openIdentity, null, null, null);
                             log.warn("An OpenID user has been created: " + openIdentity);
                         }
                         User user = uManager.getUser(openIdentity);
+                        //User user = uManager.getUser(openIdentity, true);
                         IdentityMap identityMap = (IdentityMap)request.getSession(true).getAttribute(YanelServlet.IDENTITY_MAP_KEY);
                         if (identityMap == null) {
                             identityMap = new IdentityMap();
                             request.getSession().setAttribute(YanelServlet.IDENTITY_MAP_KEY, identityMap);
                         }
+                        log.debug("User: " + user.getID());
                         identityMap.put(realm.getID(), new Identity(user));
                         // OpenID authentication successful, hence return null instead an "exceptional" response
                         // TODO: Do not return null (although successful), but rather strip-off all the openid query string stuff and then do a redirect

More information about the Yanel-commits mailing list