From 89fa7710935bf8593753207492d540fee1319eb2 Mon Sep 17 00:00:00 2001
From: Luke Taylor <luke.taylor@springsource.com>
Date: Wed, 13 Jul 2011 22:29:47 +0100
Subject: [PATCH] SEC-1753: Cater for missing DiscoveryInformation object in
 OpenID4JavaConsumer.endConsumption.

---
 .../springframework/security/openid/OpenID4JavaConsumer.java | 5 +++++
 .../security/openid/OpenID4JavaConsumerTests.java            | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/openid/src/main/java/org/springframework/security/openid/OpenID4JavaConsumer.java b/openid/src/main/java/org/springframework/security/openid/OpenID4JavaConsumer.java
index 1863fea7c5..ce24d25cda 100644
--- a/openid/src/main/java/org/springframework/security/openid/OpenID4JavaConsumer.java
+++ b/openid/src/main/java/org/springframework/security/openid/OpenID4JavaConsumer.java
@@ -144,6 +144,11 @@ public class OpenID4JavaConsumer implements OpenIDConsumer {
 
         // retrieve the previously stored discovery information
         DiscoveryInformation discovered = (DiscoveryInformation) request.getSession().getAttribute(DISCOVERY_INFO_KEY);
+
+        if (discovered == null) {
+            throw new OpenIDConsumerException("DiscoveryInformation is not available. Possible causes are lost session or replay attack");
+        }
+
         List<OpenIDAttribute> attributesToFetch = (List<OpenIDAttribute>) request.getSession().getAttribute(ATTRIBUTE_LIST_KEY);
 
         request.getSession().removeAttribute(DISCOVERY_INFO_KEY);
diff --git a/openid/src/test/java/org/springframework/security/openid/OpenID4JavaConsumerTests.java b/openid/src/test/java/org/springframework/security/openid/OpenID4JavaConsumerTests.java
index 1edfc02e76..32f7fd778b 100644
--- a/openid/src/test/java/org/springframework/security/openid/OpenID4JavaConsumerTests.java
+++ b/openid/src/test/java/org/springframework/security/openid/OpenID4JavaConsumerTests.java
@@ -189,6 +189,11 @@ public class OpenID4JavaConsumerTests {
         consumer.fetchAxAttributes(msg, attributes);
     }
 
+    @Test(expected=OpenIDConsumerException.class)
+    public void missingDiscoveryInformationThrowsException() throws Exception {
+        OpenID4JavaConsumer consumer = new OpenID4JavaConsumer(new NullAxFetchListFactory());
+        consumer.endConsumption(new MockHttpServletRequest());
+    }
 
     @SuppressWarnings("deprecation")
     @Test