TheBeruriahIncident / openid4java

Automatically exported from code.google.com/p/openid4java
Apache License 2.0
0 stars 0 forks source link

Leaking actual server name with Reverse proxy #197

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Set up RP behind a reverse proxy with machine name as 
Machine_name.domain.com(FQDN)
2. Start an OpenID authentication request to an OpenID provider by accessing 
Reverse proxy say example.domain.com
3. You will find "Machine_name.domain.com is asking for some information from 
your Google Account. "

What is the expected output? What do you see instead?
It should display "example.domain.com is asking for some information from your 
Google Account" instead of "Machine_name.domain.com is asking for some 
information from your Google Account"

What version of the product are you using? On what operating system?
openid4java-0.9.7

Please provide any additional information below.
If the application is configured with reverse proxy, then what security does it 
provides by displaying the actual server name (Machine_name.domain.com) to the 
end user?

Original issue reported on code.google.com by mramas...@logitech.com on 10 May 2013 at 10:23

GoogleCodeExporter commented 9 years ago
This can be solved by using Realms

Original comment by mramas...@logitech.com on 13 May 2013 at 11:16