Spring Security
  1. Spring Security
  2. SEC-973

OpenIDAuthenticationProcessingFilter assumes https uses port 80

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.0.2, 2.0.3
    • Fix Version/s: 3.0.0 RC1
    • Component/s: OpenID
    • Labels:
      None
    • Environment:
      mac, linux

      Description

      OpenIDAuthenticationProcessingFilter when parsing the returnToUrl assumes port 80 even https is used. There should be some logic to utilize port 443, the default port for https if url.getPort equals -1.

      if (mapping == null) {
      try {

      URL url = new URL(returnToUrl);
      int port = (url.getPort() == -1) ? 80 : url.getPort();

      Workaround is to utilize realmMapping property to make a hard map between returnToUrl and the existing returnToUrl bypassing the flawed logic. i.e.,

      <b:bean id="openIdFilter" class="org.springframework.security.ui.openid.OpenIDAuthenticationProcessingFilter">
      <custom-filter position="AUTHENTICATION_PROCESSING_FILTER"/>
      <b:property name="authenticationManager" ref="authenticationManager"/>
      <b:property name="defaultTargetUrl" value="/index.jsp"/>
      <b:property name="authenticationFailureUrl" value="/openidlogin.jsp?login_error=true"/>
      <!-- the realmMapping property allows mapping through apache's mod proxy -->
      <b:property name="realmMapping">
      <b:map>
      <b:entry key="https://sitename/j_spring_openid_security_check"
      value="https://sitename/j_spring_openid_security_check"/>
      </b:map>
      </b:property>
      </b:bean>

      I also found that putting a debug statement in helped doing the realmMapping i.e.

      protected String lookupRealm(String returnToUrl) {

      String mapping = (String) realmMapping.get(returnToUrl);

      log.debug("returnToUrl value = " + returnToUrl);

        Activity

        Hide
        Luke Taylor added a comment -

        I'm not really sure why it was appending the port at all in the case where url.getPort() was -1. If the port is standard then it doesn't need to be added to the URL whether it's using http or https. I've modified the code to only add the port if the getPort() method returns a value > 0.

        Show
        Luke Taylor added a comment - I'm not really sure why it was appending the port at all in the case where url.getPort() was -1. If the port is standard then it doesn't need to be added to the URL whether it's using http or https. I've modified the code to only add the port if the getPort() method returns a value > 0.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Jeremy Espino
          • Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: