-
Type:
Defect
-
Resolution: Won't Do
-
Priority:
Critical
-
Affects Version/s: 1.2.0
-
Component/s: None
-
None
OpenIds must be valid URLs to function correctly. The gateway is not restricting or escaping these characters during the username selection process. This is a problem at several levels:
1) If the openid contains unescaped characters OpenId4Java cannot initiate the Yadis discovery process.
2) Once the URL is properly escaped the Yadis service doens't correctly decode the URL, so the user isn't found and the call fails.
3) If the user does a local login, successfully bypassing OpenId, they can login but can't use MyProxy client as it relies on the Yadis discovery.
* There are likley a multitude of lookup methods they may be affected by.
This was discovered by user failures due to spaces in their usersnames:
java.lang.IllegalArgumentException: Invalid uri 'https://www.earthsystemgrid.org/myopenid/Shuli Niu': escaped absolute path not valid
at org.apache.commons.httpclient.HttpMethodBase.<init>(HttpMethodBase.java:222)
at org.apache.commons.httpclient.methods.HeadMethod.<init>(HeadMethod.java:94)
at org.openid4java.util.HttpCache.head(HttpCache.java:284)
at org.openid4java.discovery.yadis.YadisResolver.retrieveXrdsLocation(YadisResolver.java:360)
at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:229)
at sgf.gateway.script.services.impl.DownloadScriptServiceImpl.getMyproxyEndPoint(DownloadScriptServiceImpl.java:118)
at sgf.gateway.script.services.impl.DownloadScriptServiceImpl.buildScript(DownloadScriptServiceImpl.java:93)
at sgf.gateway.script.services.impl.DownloadScriptServiceImpl$1.doInTransaction(DownloadScriptServiceImpl.java:65)
at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:128)
at sgf.gateway.script.services.impl.DownloadScriptServiceImpl.create(DownloadScriptServiceImpl.java:58)
at sgf.gateway.web.controllers.download.GetDownloadScriptController.handleRequest(GetDownloadScriptController.java:71)
at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48)
1) If the openid contains unescaped characters OpenId4Java cannot initiate the Yadis discovery process.
2) Once the URL is properly escaped the Yadis service doens't correctly decode the URL, so the user isn't found and the call fails.
3) If the user does a local login, successfully bypassing OpenId, they can login but can't use MyProxy client as it relies on the Yadis discovery.
* There are likley a multitude of lookup methods they may be affected by.
This was discovered by user failures due to spaces in their usersnames:
java.lang.IllegalArgumentException: Invalid uri 'https://www.earthsystemgrid.org/myopenid/Shuli Niu': escaped absolute path not valid
at org.apache.commons.httpclient.HttpMethodBase.<init>(HttpMethodBase.java:222)
at org.apache.commons.httpclient.methods.HeadMethod.<init>(HeadMethod.java:94)
at org.openid4java.util.HttpCache.head(HttpCache.java:284)
at org.openid4java.discovery.yadis.YadisResolver.retrieveXrdsLocation(YadisResolver.java:360)
at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:229)
at sgf.gateway.script.services.impl.DownloadScriptServiceImpl.getMyproxyEndPoint(DownloadScriptServiceImpl.java:118)
at sgf.gateway.script.services.impl.DownloadScriptServiceImpl.buildScript(DownloadScriptServiceImpl.java:93)
at sgf.gateway.script.services.impl.DownloadScriptServiceImpl$1.doInTransaction(DownloadScriptServiceImpl.java:65)
at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:128)
at sgf.gateway.script.services.impl.DownloadScriptServiceImpl.create(DownloadScriptServiceImpl.java:58)
at sgf.gateway.web.controllers.download.GetDownloadScriptController.handleRequest(GetDownloadScriptController.java:71)
at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48)
