asanso / openid4java

Automatically exported from code.google.com/p/openid4java
Apache License 2.0
0 stars 0 forks source link

Can not login with some ids #129

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1. login with "http://kingsley.idehen.net/dataspace/person/kidehen" openid

What is the expected output? What do you see instead?
Login. Error.

What version of the product are you using? On what operating system?
0.9.5

Please provide any additional information below.

In the logs i see:
Starting discovery on URL identifier: 
http://kingsley.idehen.net/dataspace/person/kidehen
and that's all.
So it's possible that no end points found.

Original issue reported on code.google.com by nnn...@gmail.com on 16 Sep 2010 at 11:06

GoogleCodeExporter commented 8 years ago
Oh. I've found exception.
I didn't see, because there was no logging in my catch block.

Here it is:

org.openid4java.discovery.yadis.YadisException: 0x704: I/O transport error: 
    at org.openid4java.discovery.yadis.YadisResolver.retrieveXrdsLocation(YadisResolver.java:432)
    at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:229)
    at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:221)
    at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:179)
    at org.openid4java.discovery.Discovery.discover(Discovery.java:134)
    at org.openid4java.discovery.Discovery.discover(Discovery.java:114)
    at org.openid4java.consumer.ConsumerManager.discover(ConsumerManager.java:527)
    at org.apache.jsp.consumer_005fredirect_jsp._jspService(consumer_005fredirect_jsp.java from :82)
    at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:109)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
    at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:389)
    at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:486)
    at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:380)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
    at org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:427)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:315)
    at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:287)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:218)
    at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648)
    at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593)
    at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:94)
    at com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:98)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:222)
    at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648)
    at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593)
    at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:587)
    at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1096)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:166)
    at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648)
    at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593)
    at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:587)
    at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1096)
    at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:288)
    at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:647)
    at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:579)
    at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:831)
    at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:341)
    at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:263)
    at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:214)
    at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:265)
    at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106)
Caused by: java.net.UnknownHostException: http
    at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:177)
    at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:366)
    at java.net.Socket.connect(Socket.java:529)
    at java.net.Socket.connect(Socket.java:478)
    at java.net.Socket.<init>(Socket.java:375)
    at java.net.Socket.<init>(Socket.java:249)
    at org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory.createSocket(DefaultProtocolSocketFactory.java:79)
    at org.apache.commons.httpclient.protocol.ControllerThreadSocketFactory$1.doit(ControllerThreadSocketFactory.java:90)
    at org.apache.commons.httpclient.protocol.ControllerThreadSocketFactory$SocketTask.run(ControllerThreadSocketFactory.java:157)
    at java.lang.Thread.run(Thread.java:619)

Original comment by nnn...@gmail.com on 17 Sep 2010 at 10:52

GoogleCodeExporter commented 8 years ago
Ok. Last version (build from sources) returns another exception.
But LiveJournal and StackOverflow works fine with specified Id.

org.openid4java.discovery.yadis.YadisException: 0x705: A Yadis Resource 
Descriptor URL MUST be an absolute URL and it must be HTTP or HTTPS; found: 
yadis.xrds
    at org.openid4java.discovery.yadis.YadisResult.setXrdsLocation(YadisResult.java:113)
    at org.openid4java.discovery.yadis.YadisResolver.retrieveXrdsLocation(YadisResolver.java:407)
    at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:245)
    at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:229)
    at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:163)
    at org.openid4java.discovery.Discovery.discover(Discovery.java:147)
    at org.openid4java.discovery.Discovery.discover(Discovery.java:129)
    at org.openid4java.consumer.ConsumerManager.discover(ConsumerManager.java:542)
    at org.apache.jsp.consumer_005fredirect_jsp._jspService(consumer_005fredirect_jsp.java from :82)
    at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:109)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
    at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:389)
    at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:486)
    at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:380)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
    at org.apache.catalina.core.ApplicationFilterChain.servletService(ApplicationFilterChain.java:427)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:315)
    at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:287)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:218)
    at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648)
    at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593)
    at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:94)
    at com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:98)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:222)
    at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648)
    at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593)
    at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:587)
    at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1096)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:166)
    at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648)
    at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593)
    at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:587)
    at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1096)
    at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:288)
    at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:647)
    at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:579)
    at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:831)
    at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:341)
    at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:263)
    at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:214)
    at com.sun.enterprise.web.portunif.PortUnificationPipeline$PUTask.doTask(PortUnificationPipeline.java:380)
    at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:265)
    at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106)

Original comment by nnn...@gmail.com on 17 Sep 2010 at 11:46

GoogleCodeExporter commented 8 years ago
I've investigated the problem and it seems that there are some issues on the 
both sides - openid4java library and Virtuoso Server.

Fire Bug says that Virtuoso Server
for "http://kingsley.idehen.net/dataspace/person/kidehen"
returns this header:
-----------------
Server    Virtuoso/06.02.3128 (Linux) x86_64-unknown-linux-gnu VDB
Connection    Keep-Alive
Date    Sat, 18 Sep 2010 00:24:54 GMT
Accept-Ranges    bytes
X-XRDS-Location    yadis.xrds
Link    <http://kingsley.idehen.net/dataspace/person/kidehen#this>; 
rel="http://xmlns.com/foaf/0.1/primaryTopic", 
<http://kingsley.idehen.net/dataspace/person/kidehen#this>; rev="describedby", 
<http://kingsley.idehen.net/activities/feeds/activities/user/kidehen>; 
rel="http://schemas.google.com/g/2010#updates-from"; 
type="application/atom+xml", 
<http://kingsley.idehen.net/sparql?default-graph-uri=http://kingsley.idehen.net/
dataspace>; title="Public SPARQL Service"; 
rel="http://ontologi.es/sparql#fingerpoint", 
<http://kingsley.idehen.net/dataspace/person/kidehen/about.rdf>; 
rel="alternate"; type="application/rdf+xml"; title="Structured Descriptor 
Document (RDF/XML format)", 
<http://kingsley.idehen.net/dataspace/person/kidehen/about.nt>; 
rel="alternate"; type="text/n3"; title="Structured Descriptor Document 
(N3/Turtle format)", 
<http://kingsley.idehen.net/dataspace/person/kidehen/about.n3>; 
rel="alternate"; type="text/rdf+n3"; title="Structured Descriptor Document 
(N3/Turtle format)", 
<http://kingsley.idehen.net/dataspace/person/kidehen/about.json>; 
rel="alternate"; type="application/json"; title="Structured Descriptor Document 
(RDF/JSON format)", 
<http://kingsley.idehen.net/ods/describe?uri=acct%3Akidehen@kingsley.idehen.net>
; rel="webfinger"
Content-Type    text/html; charset=UTF-8
Content-Length    56327
-----------------

As you see X-XRDS-Location is "yadis.xrds".
And it's wrong.
It should be "http://kingsley.idehen.net/dataspace/kidehen/yadis.xrds".

openid4java understands that something wrong in the header,
but does not make additional GET request for some reasons. 

Original comment by nnn...@gmail.com on 18 Sep 2010 at 1:07

GoogleCodeExporter commented 8 years ago
Simple fix:
Index: test/src/org/openid4java/discovery/yadis/YadisResolverTest.java
===================================================================
--- test/src/org/openid4java/discovery/yadis/YadisResolverTest.java (revision 
643)
+++ test/src/org/openid4java/discovery/yadis/YadisResolverTest.java (working 
copy)
@@ -214,7 +214,9 @@
         catch (DiscoveryException expected)
         {
             assertEquals(expected.getMessage(),
-                    OpenIDException.YADIS_HEAD_INVALID_RESPONSE, 
expected.getErrorCode());
+                    OpenIDException.YADIS_GET_INVALID_RESPONSE, 
expected.getErrorCode());
+//            assertEquals(expected.getMessage(),
+//                    OpenIDException.YADIS_HEAD_INVALID_RESPONSE, 
expected.getErrorCode());
         }

         try
Index: src/org/openid4java/discovery/yadis/YadisResolver.java
===================================================================
--- src/org/openid4java/discovery/yadis/YadisResolver.java  (revision 643)
+++ src/org/openid4java/discovery/yadis/YadisResolver.java  (working copy)
@@ -358,7 +358,7 @@
     private YadisResult retrieveXrdsLocation(
         YadisUrl url, boolean useGet, int maxRedirects, Set serviceTypes)
         throws DiscoveryException
-    {
+    {        
         try
         {
             YadisResult result = new YadisResult();
@@ -403,11 +403,21 @@
             }
             else if (locationHeaders != null && locationHeaders.length > 0)
             {
-                // we have exactly one xrds location header
-                result.setXrdsLocation(locationHeaders[0].getValue(),
-                    useGet ? OpenIDException.YADIS_GET_INVALID_RESPONSE :
-                        OpenIDException.YADIS_HEAD_INVALID_RESPONSE);
-                result.setNormalizedUrl(resp.getFinalUri());
+                try {
+                    // we have exactly one xrds location header
+                    result.setXrdsLocation(locationHeaders[0].getValue(),
+                        useGet ? OpenIDException.YADIS_GET_INVALID_RESPONSE :
+                            OpenIDException.YADIS_HEAD_INVALID_RESPONSE);
+                    result.setNormalizedUrl(resp.getFinalUri());
+                }
+                catch (YadisException e)
+                {
+                    if(!useGet) {
+                        return retrieveXrdsLocation(url, true, maxRedirects, 
serviceTypes);
+                    } else {
+                        throw e;
+                    }
+                }
             }
             else if (contentType != null && contentType.getValue() != null &&
                      contentType.getValue().split(";")[0].equalsIgnoreCase(YADIS_CONTENT_TYPE) &&

Original comment by nnn...@gmail.com on 18 Sep 2010 at 1:12

GoogleCodeExporter commented 8 years ago
> openid4java understands that something wrong in the header,

That would indicate a discovery failure, per yadis spec.

> but does not make additional GET request for some reasons

What's a valid reason (as far as discovery specs are concerned) for expecting 
that additional requests are made, once an (invalid) header was provided by the 
server?

Original comment by Johnny.B...@gmail.com on 18 Sep 2010 at 1:13

GoogleCodeExporter commented 8 years ago
Sure, you are right.

But some users have problems and they will think that it's a problem in your 
library.
LiveJournal and StackOverflow works fine with Virtuoso openids.
Also it should not be usual situation, so there will be no performance issues 
around patch.

Anyway I've patched my local version :)

Regards,
Nick.

Original comment by nnn...@gmail.com on 18 Sep 2010 at 2:21

GoogleCodeExporter commented 8 years ago
The library tells what the error is: "A Yadis Resource Descriptor URL MUST be 
an absolute URL and it must be HTTP or HTTPS; found: yadis.xrds".

The patch is incompliant with the spec, which states that the xrds location 
discovered from the header takes precedence. A further GET should only be made 
if there is no header, not if the value is invalid.

Suppose an attacker can compromise the xrds location served from html content 
but not the one from the header. The patch submitted here would aid the 
attacker in this case.

The current/unpatched implementation would just fail as expected, since the 
server's discovery data is misconfigured.

Original comment by Johnny.B...@gmail.com on 18 Sep 2010 at 2:36

GoogleCodeExporter commented 8 years ago
ok.

I've written to Virtuoso community.

I guess this bug could be fixed as invalid.

Thank you very much.

Best regards,
Nick.

Original comment by nnn...@gmail.com on 18 Sep 2010 at 11:16

GoogleCodeExporter commented 8 years ago

Original comment by Johnny.B...@gmail.com on 31 Oct 2012 at 11:20