search

docmasterdigitalsolutions / openid4java

Automatically exported from code.google.com/p/openid4java
Apache License 2.0
0 stars 0 forks source link

NullPointerException in ConsumerManager.extractConsumerNonce() #167

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
When trying to use unsolicited responses to a openid4java RP the return_to URL 
may not contain any query string.
Unfortunately, the extractConsumerNonce() relies on a query string being 
present.

What steps will reproduce the problem?
1. Set up the simple-openid scenario
2. Use 
http://localhost:8080/simple-openid/provider.jsp?openid.identity=http%3A%2F%2Flo
calhost%3A8080%2Fsimple-openid%2Fuser.jsp&openid.return_to=http%3A%2F%2Flocalhos
t%3A8080%2Fsimple-openid%2Fconsumer_returnurl.jsp&openid.trust_root=http%3A%2F%2
Flocalhost%3A8080%2Fsimple-openid%2Fconsumer_returnurl.jsp&openid.assoc_handle=1
319553784609-0&openid.mode=checkid_setup
3. Stacktrace on RP:
java.lang.NullPointerException
    at org.openid4java.consumer.ConsumerManager.extractConsumerNonce(ConsumerManager.java:1428)
    at org.openid4java.consumer.ConsumerManager.verifyNonce(ConsumerManager.java:1331)
    at org.openid4java.consumer.ConsumerManager.verify(ConsumerManager.java:1169)
    at org.apache.jsp.consumer_005freturnurl_jsp._jspService(consumer_005freturnurl_jsp.java:96)
    at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
    at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:419)
    at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390)
    at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:333)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:399)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:317)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:204)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:311)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
    at java.lang.Thread.run(Thread.java:722)

Using openid4java 0.9.6

Original issue reported on code.google.com by seldor.s...@gmail.com on 26 Oct 2011 at 6:26

GoogleCodeExporter commented 9 years ago 
Unsolicited responses are only supported in 2.0.
1.x doesn't have server nonces, so consumer nonces are required for preventing 
replay attacks.

Fixed in r683 to not NPE and just fail consumer nonce verification if nonce is 
missing.

Original comment by Johnny.B...@gmail.com on 31 Oct 2012 at 7:47