Announcement Announcement Module
Collapse
No announcement yet.
suggestions for limiting openid providers Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • suggestions for limiting openid providers

    It seems that mapping to provider URLs is done automatically by openid-selector. Consequently, I believe that by just manipulating JavaScript or even HTML, the end user could interpose their own rogue provider. If I am misunderstanding and this is a non-concern, please inform me.

    If this is a real concern, then I want to insert a test for the provider URLs. I really don't want to subclass the Spring Security OpenID classes and then lose all of the benefits of the openid* namespace elements, but without doing that it seems that I can only filter on the provider-supplied values that are in the token passed to AuthenticationUserDetailsService.loadUserDetails. I think these values are derived from what the provider sends, so that a rogue provider could return an "entity URL" posing as an entity URL from a trusted provider. Therefor, I think I need to test the provider's URL, not the entity URL.

  • #2
    The easiest way I can think of doing this is by overriding the ConsumerManager that is injected into the OpenID4JavaConsumer. You can stick to using the namespace and still customize it by using the tip on the FAQ.

    Comment


    • #3
      Great tips. Thanks.

      Comment


      • #4
        Originally posted by rwinch View Post
        The easiest way I can think of doing this is by overriding the ConsumerManager that is injected into the OpenID4JavaConsumer. You can stick to using the namespace and still customize it by using the tip on the FAQ.
        I get a lot of convenience out of using XML configs to wire in properties, and bean post-processors as in the FAQ item don't let you do that. Using an ApplicationListener instead of a BeanPostProcessor lets me pass in the URL matching patterns declaratively.

        Since I already have more custom Spring Security classes than I want, and I have several customizations to the OpenIDAuthenticationFilter class already, I added the provider URL restrictions to OpenIDAuthenticationFilter.attemptAuthentication() . If I weren't behind schedule, I'd restrict earlier in the ConsumerManager as you suggest.

        Provider URLs are restricted as I want now. Thanks for your help.


        POSTNOTE: Turns out that OpenIDAuthenticationFilter.attemptAuthentication is just as efficient as doing this in the OpenID4JavaConsumer, because the provider URL is only handled in classes provided by the Openid4java library. Doing it more efficiently would require customization of Openid4java, and I definitely don't want that maintenance chore.
        Last edited by blaine; Apr 4th, 2011, 07:14 AM. Reason: added new finding

        Comment


        • #5
          If you are willing, it might be nice to hear some of the pain points you have had. I realize you have specified them through a number of threads, but providing them in a concise list might make it easier to determine if a few enhancements could be made to make life easier for you and others in the future.

          Comment

          Working...
          X