anunnakian / openid4java Goto Github PK

What steps will reproduce the problem?
1. replace xalan2.6.0 with 2.7.0 or 2.7.1
2. log in with open id url
3. consumer servlet breaks.

What is the expected output? What do you see instead?
missing classes

What version of the product are you using? On what operating system?


Please provide any additional information below.
Is there any particular reason why openxri is dependent on xalan 2.6? I'm
running into a number of missing class issues trying to get it openId4java
to work with 2.7 and above.

eg.

java.lang.NoClassDefFoundError: org/apache/xpath/compiler/FuncLoader
    org.openxri.xml.XRD.<clinit>(XRD.java:108)
    org.openid4java.discovery.Discovery.<init>(Discovery.java:59)
    org.openid4java.consumer.ConsumerManager.<init>(ConsumerManager.java:51)

The library does not quite handle the spec for attribute exchange.

The value returned from the server has the following definition:

openid.ax.value.<alias>.<number>
Assigns a value to the attribute referred to as <alias>. This parameter format 
MUST be used if 
"openid.ax.count.<alias>" is sent and at least one value is provided for the 
associated attribute.

However, in FetchResponse.java and the method public String 
getAttributeValue(String alias), it 
only attached <number> if getCount(alias) > 1. It should not use 
getCount(alias) since getCount 
has special code.

Patch attached.

What steps will create the enhancement?
1a.) Create an interface called ServerManager with all of the current
ServerManager functions.
1b.) Rename the current net.openid.server.ServerManager class to be
something like net.openid.server.DefaultServerManager, (or
StaticServerManager, or similar). 
2a.) Create an interface called ClientManager with all of the current
ClientManager functions.
2b.) Rename the current net.openid.client.ClientManager class to be
something like net.openid.client.DefaultClientManager, (or
StaticClientManager, or similar). 

Rationale: This would allow anyone to write their own
ServerManager/ClientManager, yet conform to the existing contract.  I
envision creating EJB backed managers to use OpenId4Java on a J2EE
application server. Ideally, the ServerManager would be implemented as a
service, like a Stateless Sessionbean.  That way, it is directly accessible
from other services running in the container.  As it stands now,  however,
the current ServerManager has static ServerAssociationStore's, which don't
fit well with J2EE (According to the J2EE spec, static member variables are
not recommended unless they're final --- static members are not portable
across app servers, among other things).

ps - I have much of this code written, and would be open to contributing
back to the project.  I'm just waiting to integrate it into the new
interfaces.  My EJB code works on JBoss, ATM.  But, other app servers could
be supported (bea, oracle, etc), but would need their own implementations.

1. Document which parts of the code require each of the included jars
2. Organize libraries for specific deployments (RP/OP/etc).

For a "consumer side" only, spring-jdbc isn't required.
Please change the pom.xml to add <optional>true</optional> to the dependency.

What steps will reproduce the problem?
1. Run 'ant clean test'

What is the expected output? What do you see instead?

http://opensource.bamboo.atlassian.com/build/viewBuildResultsFailedTests.action?
buildKey=OPENID-OPENID4JAVA&buildNumber=18

java.lang.NoClassDefFoundError: org/apache/xerces/parsers/DOMParser
    at org.openxri.xml.XRDS.fromDOM(XRDS.java:237)
    at org.openxri.xml.XRDS.<init>(XRDS.java:67)
    at net.openid.discovery.DiscoveryTest.createXrds(DiscoveryTest.java:92)
    at
net.openid.discovery.DiscoveryTest.testExtractDiscoveryInformationDelegate(Disco
veryTest.java:101)

What version of the product are you using? On what operating system?

Latest source.

Please provide any additional information below.

It appears that xerces.jar needs to be added to the /lib/ directory and as
a pom.xml dependency for maven2.

Ok in browser; openid4java logs show:

Error talking to https://www.myopenid.com/server response code: -1 
CLASS:consumer.ConsumerManager TP-Processor10  
javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorException: PKIX path validation failed: 
java.security.cert.CertPathValidatorExcepti
on: subject/issuer name chaining check failed
        at 
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
        at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518)
        at 
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
        at 
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
        at 
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker
.java:848)
        at 
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.ja
va:106)
        at 
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
        at 
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
        at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818)
        at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl
.java:1030)
        at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:622)
        at 
com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
        at 
java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
        at 
java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
        at 
org.apache.commons.httpclient.methods.StringRequestEntity.writeRequest(StringReq
uestEntity.java:150)
        at 
org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(Ent
ityEnclosingMethod.java:495)
        at 
org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:19
73)
        at 
java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
        at 
org.apache.commons.httpclient.methods.StringRequestEntity.writeRequest(StringReq
uestEntity.java:150)
        at 
org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(Ent
ityEnclosingMethod.java:495)
        at 
org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:19
73)
        at 
org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:993)
        at 
org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDire
ctor.java:397)
        at 
org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirecto
r.java:170)
        at 
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
        at 
org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:19
73)
        at 
org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:993)
        at 
org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDire
ctor.java:397)
        at 
org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirecto
r.java:170)
        at 
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
        at 
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
        at 
org.openid4java.consumer.ConsumerManager.call(ConsumerManager.java:569)
        at 
org.openid4java.consumer.ConsumerManager.associate(ConsumerManager.java:725)
        at 
org.openid4java.consumer.ConsumerManager.associate(ConsumerManager.java:612)
        at 
com.sxip.apollo.rp.web.IndexController.buildFetchReq(IndexController.java:200)
        at 
com.sxip.apollo.rp.web.IndexController.handleRequestInternal(IndexController.jav
a:132)
        at 
org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractCon
troller.java:153)
        at 
org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(Simple
ControllerHandlerAdapter.java:45)
        at 
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.j
ava:806)
        at 
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.ja
va:736)
        at 
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet
.java:396)
        at 
org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:36
0)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
        at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilt
erChain.java:252)
        at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.
java:173)
        at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:2
13)
        at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:1
78)
        at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
        at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
        at 
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:541)
        at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107
)
        at 
org.apache.catalina.valves.RequestDumperValve.invoke(RequestDumperValve.java:150
)
        at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
        at 
org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:199)
        at 
org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:282)
        at 
org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:767)
        at 
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:697)
        at 
org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:889
)
        at 
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:68
4)
        at java.lang.Thread.run(Thread.java:595)
Caused by: sun.security.validator.ValidatorException: PKIX path validation 
failed: java.security.cert.CertPathValidatorException: subject/issuer name 
ch
aining check failed
        at 
sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:187)
        at 
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:139)
        at sun.security.validator.Validator.validate(Validator.java:203)
        at 
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustMa
nagerImpl.java:172)
        at 
com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextI
mpl.java:320)
        at 
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker
.java:841)
        ... 47 more
Caused by: java.security.cert.CertPathValidatorException: subject/issuer 
name chaining check failed
        at 
sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCe
rtPathValidator.java:139)
        at 
sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathVali
dator.java:316)
        at 
sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPath
Validator.java:178)
        at 
java.security.cert.CertPathValidator.validate(CertPathValidator.java:206)
        at 
sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:182)
        ... 52 more

Type-Patch

* include in SampleConsumer and SampleServer, sample usage of Attribute and
SReg
* add 2 integration tests (using SampleConsumer, SampleServer)
* add 1 integration test for integration test with external provider.  The
sample test try an authentification against videntity.org, authentification
sucessed but retreive information (email) failed (commented).
* improve test coverage from 23% to 51%

!! I haven't patch lib directory and build.xml (integration test require
jwebunit-1.4.1)

On the server side, when dealing with extensions, a AuthRequest message is 
instantiated from request parameter twice, each triggering an (expensive) 
RP dicovery and validation.

http://groups.google.com/group/openid4java/browse_thread/thread/
63580f58f60d51f2

I tested openid4java with the newly releases OpenID provider orange
(openid.orange.fr).

The content returned by Orange when verifying an auth is:

\r\n\r\nis_valid:true\n

and this makes ParameterList.createFromKeyValueForm choke as it does not
ignore the blank lines and looks for ':' in them.

A quick fix would be to add '\r' to the list of delimiters and check if the
token size is 0 before looking for ':'.

What steps will reproduce the problem?
1. Resolution of community inames
2.
3.

What is the expected output? What do you see instead?
They are not supported per comments in the source code. 

What version of the product are you using? On what operating system?
N/A

Please provide any additional information below.
N/A

I'm trying to build a jar based on what's in trunk and I'm getting the
following error when using ant on the commandline or from within Eclipse.

There are a few releases of svn out there still in the wild and I'd
encourage you to make this as easy as possible for Eclipse Callisto users,
which would mean removing the svn dependencies from the build.xml file.

Buildfile: build.xml

create_paths:

prepare:
      [svn] Using javahl
Svn : Status
Unsupported working copy format
svn: This client is too old to work with working copy
'/Users/phil/Documents/workspace/sxip-openid-trunk'; please get a newer
Subversion client

BUILD FAILED
/Users/phil/Documents/workspace/sxip-openid-trunk/build.xml:28: Can't get
status of /Users/phil/Documents/workspace/sxip-openid-trunk

Finite part of the method is wrong. My comments are marked as [xxx84692] 
in code below

public boolean isValid() {
  .........
---------
  [xxx84692] Wrong. "op_endpoint" is absent as in spec. OpenID Auth. Ver 
1.1. Also I haven't found it in the last published draft OpenID Auth. Ver 
2.0 Draft11
---------

        // either compatibility mode or op_endpoint signed
        if ( compatibility == signedFields.contains("op_endpoint") )
            return false;

---------
  [xxx84692]In the last published draft OpenID Auth. Ver 2.0 Draft11 there 
is not any requirements about existence "assoc_handle" in signList:

This list MUST contain at least "return_to" and "response_nonce", and if 
present in the response, "claimed_id" and "identity". For 
example, "identity,claimed_id,return_to,response_nonce"
---------

        // assoc_handle must be signed in v2
        if ( ! compatibility && ! signedFields.contains("assoc_handle") )
            return false;

---------
  [xxx84692] Wrong. "claimed_id" is absent in OpenID Auth. Ver 1.1.
---------

        // if the IdP is making an assertion about an Identifier,
        // the "identity" and "claimed_id" fields MUST be signed
        return ( hasParameter("openid.identity") ==
                 (signedFields.contains("identity") &&
                  signedFields.contains("claimed_id")) );



}

When association type is HMAC-SHA1, Association.createHmacSha256 is called.
For HMAC-SHA256, createHmacSha1 is called.

Net effect of this bug is that smart-mode sig verification will always fail.

Fix: reverse the calls to createHmacShaXXX.

Question: what is the status of openid4java code? The reason I ask is that
I am using openid4java to shake the bugs out of my openid server but, so
far, it's been like watching two drunks (openid4java and my code) trying to
get home. LOL.

What steps will implement this Enhancement?

1.) Create a net.openid.association.Assocation interface, that simply has
the getters/ setters for the current net.openid.association.Association.
2.) Create an AssociationImpl (or whatever you prefer to call it) that
models only the attributes of the Association (essentially, purely a model
object).
3.) Create a class called AssociationFactory, and move all of the public
static creation methods out of Association, and into the factory.
4.) Provide a public default constructor in the AssociationImpl class, so
that the Factory (and other code like EJB3) can instantiate and use the
model class.

RATIONALE: This would separate the model from the business logic, and allow
people to do other things with the Association classes (like persist them
to a database using Hibernate/Ejb3 without mapping them to a different class).

I've got much of this written already, too.

What steps will reproduce the problem?
1. I don't see support for XRI Proxy resolvers
2.
3.

What is the expected output? What do you see instead?
I would like to have the ability to point a relying party or OP at a proxy
resolver instead of using the root INames resolution services. 

What version of the product are you using? On what operating system?
N/A

Please provide any additional information below.
This should be fairly easy to do - its part of OpenXRI codebase already.

What steps will reproduce the problem?
1. Trying to use cross implementations. (e.g. JanRain's PHP client with
your sample server)

What is the expected output? What do you see instead?
expected: correct signature during client side verification
output: bad signature

What version of the product are you using? On what operating system?
java-openid-sxip-0.9.4 [server] + php-openid-2.0.0 [client]
OS: Debian Linux

Please provide any additional information below.
That happens because null fields (e.g. claimed_id) are added as "null"
Strings. That's not a problem if client & server use the same
implementation, but I doubt it could work with any other.

My solution is: verify null value before adding it to the resulting String.
in AuthSuccess.getSignedText():
...
String value = getParameterValue("openid." + signedParams[i]);
if (value!=null)
  signedText.append(value);
...

refer to http://openid.net/specs/openid-attribute-exchange-1_0-04.html
The attribute exchange service extension is identified by the URI "http://
openid.net/srv/ax/1.0"

but org.openid4java.message.ax.AxMessage.OPENID_NS_AX = "http://openid.net/
srv/ax/1.0-draft7"

PS:I can't fetch attribute from openid provider "http://myopenid.com",is 
it cause by this?

fetch.addAttribute("email","http://schema.openid.net/contact/email", true);

is "http://schema.openid.net/contact/email" standard for all openid 
provider or just for openid4java?

I'm implementing OpenID authentication support for an application that uses
the Zk AJAX framework (www.zkoss.org). The Zk creates some request
parameters on the fly (due to it's AJAX nature and its internal working
logic). Some of those request parameters are arrays, which length is bigger
than one. It looks like OpenID4Java don't like that, throwing an
IllegalArgument exception.

The code extract responsable for that is the following, from
org/openid4java/message/ParameterList.java:

if (v instanceof Object[])
{
  Object[] values = (Object[]) v;
  if (values.length > 1)
   throw new IllegalArgumentException(
     "Multiple parameters with the same name: " + values);
   value = values.length > 0 ? (String) values[0] : null;
}

It wouldn't be better to just _ignore_ array objects which length is bigger
than 1, instead of throwing an exception? I created a patch following this
rationale. I tested it with my application, and, so far, so good.

simple-openid hardcode "http://localhost:8080". I replace it by 
request.getScheme() + "://" + request.getServerName() + ":" +
request.getServerPort()

To allow user to connect to a openid server with other address than localhost.
(In my case videntity.org works when I call with localhost, and failed when
I call with ip address or internet hostname,... details in an other issue)

The ConsumerAssociationStore named "_associations" in ConsumerMangager
doesn't appear to ever get instantiated.  Upon normal use of
ConsumerManager, I get the following error:

Caused by: java.lang.NullPointerException
    at net.openid.consumer.ConsumerManager.associate(ConsumerManager.java:620)
    at net.openid.consumer.ConsumerManager.associate(ConsumerManager.java:588)  

Please provide any additional information below.

Suggested Fix:
In the ConsumerManager constructor, add a create statement to create an
InMemoryConsumerAssociationStore().

If relying party and openid provider is not in same timezone,It's possible
that return INVALID_TIMESTAMP in
org.openid4java.consumer.AbstractNonceVerifier.seen()

When you check out the project in eclipse, there's no reason why it should
require adding jars to the build path, especially when those jars are
included in svn.

Please add a .classpath and .project file to trunk.

What steps will reproduce the problem?
1. instantiate new ConsumerManager()


What is the expected output? What do you see instead?
I expected an instance of ConsumerManager to be returned but instead I got
an exception:

Exception in thread "main" java.lang.NoSuchMethodError:
org.apache.xpath.compiler.FunctionTable.installFunction(Ljava/lang/String;Lorg/a
pache/xpath/Expression;)I
    at org.apache.xml.security.Init.init(Unknown Source)
    at org.openxri.xml.XRD.<clinit>(XRD.java:108)
    at org.openid4java.discovery.Discovery.<init>(Discovery.java:58)
    at org.openid4java.consumer.ConsumerManager.<init>(ConsumerManager.java:51)
    at T.main(T.java:13)

What version of the product are you using? On what operating system?
0.9.4

Type-Patch

* fixe version number in pom.xml of samples
* remove useless dependency in simple-openid
* remove useless jar in simple-openid/src/main/webapp/WEB-INF/lib
* update version on maven2/README.txt

note: 
* simple-openid doesn't start with jdk14
* simple-openid failed with jdk15 and usage of user.jsp as OpenID
I currently work on the problem (on trunk) (I added testcase, ...)

What steps will reproduce the problem?
1. Go to an RP which uses v1 (e.g.: http://ma.gnolia.com)
2. Log in using a simple-openid identity url - from the sample openid4java
server - e.g. openid.open.ac.uk/simple-openid/user.jsp

What is the expected output? What do you see instead?
Rather than being authenticated - you get the error message "signature
mismatch" - more info, and other sites where this occurs:
http://groups.google.com/group/openid4java/browse_thread/thread/f61d594b183c4ad6
?hl=en

I attempted to get this fixed myself, but I didn't get very far. To start
with I was unsure as to whether the problem was just in the simple-openid
sample server code, or if it was something up in the java-openid-sxip.jar.
I attemtped to change the org.openid4java.server.ServerManager class
(line760) - so if it was a v1 request then the claimed_id field would be
removed from the list. Bt this didn't seem to make any difference.

I also looked at the AuthSuccess class to check which fields were included
in the buildSignedList() and these all seemed fine too (i.e. no cliamed_id
field)- so couldn't see if any changes were required here.

I think this may be related to issue #47 as it occurs in similar
circumstances (using JanRan as RP), although when using the sample RP
provided by JanRain I get the error "Server denied check_authentication",
but appears to be to do with the signature being invalid.

What steps will reproduce the problem?
1. apply the patch from issue #35
2. change the pom.xml of simple-openid to use 0.9.4.339 (add the
http://alchim.sf.net/download/releases as repository)
3. start simple-openid (mvn jetty:run)
4. connect to http://<myserver>:<myport>/simple-openid (don't use
localhost, faile also with ip address)
5. submit http://demouser.videnty.org/ as OpenID (it's a valid openid, I
could sent you the password via private mail, if required)

What is the expected output?
* to be redirected to the login page of videntity.org, like it's done if I
connect with http://localhost:8080/simple-openid

What do you see instead?
(note: result is different with 0.9.3 (see issue #36))

* on browser url:
  http://127.0.0.1:8080/simple-openid/consumer_redirect.jsp
* on brower window :
HTTP ERROR: 500

INTERNAL_SERVER_ERROR

RequestURI=/simple-openid/consumer_redirect.jsp

Powered by Jetty://

* on console:
[INFO] Started Jetty Server
[INFO] Starting scanner at interval of 10 seconds.
[INFO] Discovery - Starting discovery on URL identifier:
http://demouser.videntity.org/
[WARN] Discovery - Yadis discovery failed on http://demouser.videntity.org/
: 1800: A Yadis Resource Descriptor URL MUST be an absolute URL and it must
be HTTP or HTTPS; found: null
[INFO] Discovery - No OpenID service endpoints discovered through Yadis;
attempting HTML discovery...
[INFO] HtmlResolver - HTML discovery succeeded on:
http://demouser.videntity.org/
[INFO] Discovery - Discovered 1 OpenID endpoints.
[INFO] ConsumerManager - Trying to associate with
http://videntity.org/server attempts left: 4
[WARN] ConsumerManager - Could not create association of type:
:HMAC-SHA1:OpenID1
[INFO] ConsumerManager - Associated with http://videntity.org/server
handle: {estore}{HMAC-SHA1}{1}{0}
[INFO] ConsumerManager - Trying to associate with
http://videntity.org/server attempts left: 4
[INFO] ConsumerManager - Found an existing association.
[INFO] ConsumerManager - Creating authentication request for OP-endpoint:
http://videntity.org/server claimedID: http://demouser.videntity.org/
OP-specific ID: http://demouser.videntity.org/
[INFO] RealmVerifier - Return URL:
http://127.0.0.1:8080/simple-openid/consumer_returnurl.jsp matches realm:
http://127.0.0.1:8080/simple-openid/consumer_returnurl.jsp
[INFO] ConsumerManager - Verifying authentication response...
[INFO] ConsumerManager - Verifying authentication response...
[ERROR] RealmVerifier - Discovery failed on realm:
http://127.0.0.1:8080/simple-openid/consumer_returnurl.jsp
<org.openid4java.discovery.yadis.YadisException: 1803: HTML response must
have exactly one HEAD element, found 0 :
>org.openid4java.discovery.yadis.YadisException: 1803: HTML response must
have exactly one HEAD element, found 0 : 
        at
org.openid4java.discovery.yadis.YadisResolver.getHtmlMeta(YadisResolver.java:400
)
        at
org.openid4java.discovery.yadis.YadisResolver.getXrds(YadisResolver.java:342)
        at
org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:251)
        at org.openid4java.discovery.Discovery.rpDiscovery(Discovery.java:646)
        at
org.openid4java.server.RealmVerifier.validate(RealmVerifier.java:133)
        at
org.openid4java.server.RealmVerifier.validate(RealmVerifier.java:108)
        at org.openid4java.message.AuthRequest.validate(AuthRequest.java:355)
        at
org.openid4java.message.AuthRequest.createAuthRequest(AuthRequest.java:101)
        at
org.openid4java.consumer.ConsumerManager.authenticate(ConsumerManager.java:1000)
        at
org.openid4java.consumer.ConsumerManager.authenticate(ConsumerManager.java:937)
        at
org.apache.jsp.consumer_005fredirect_jsp._jspService(org.apache.jsp.consumer_005
fredirect_jsp:101)
        at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:111)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
        at
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:373)
        at
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:464)
        at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:358)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
        at
org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:459)
        at
org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:360)
        at
org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:231)
        at
org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:629)
        at
org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:453)
        at
org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollecti
on.java:149)
        at
org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:123)
        at
org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:141)
        at org.mortbay.jetty.Server.handle(Server.java:303)
        at
org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:452)
        at
org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:735)
        at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:636)
        at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:209)
        at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:349)
        at
org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:320)
        at
org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:475)

2007-10-08 12:48:05.830::WARN:  /simple-openid/consumer_redirect.jsp: 
java.lang.IllegalStateException: STREAM
        at org.mortbay.jetty.Response.getWriter(Response.java:502)
        at
org.apache.jasper.runtime.JspWriterImpl.initOut(JspWriterImpl.java:149)
        at
org.apache.jasper.runtime.JspWriterImpl.flushBuffer(JspWriterImpl.java:142)
        at
org.apache.jasper.runtime.PageContextImpl.release(PageContextImpl.java:210)
        at
org.apache.jasper.runtime.JspFactoryImpl.internalReleasePageContext(JspFactoryIm
pl.java:134)
        at
org.apache.jasper.runtime.JspFactoryImpl.releasePageContext(JspFactoryImpl.java:
89)
        at
org.apache.jsp.consumer_005fredirect_jsp._jspService(org.apache.jsp.consumer_005
fredirect_jsp:188)
        at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:111)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
        at
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:373)
        at
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:464)
        at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:358)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
        at
org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:459)
        at
org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:360)
        at
org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:231)
        at
org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:629)
        at
org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:453)
        at
org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollecti
on.java:149)
        at
org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:123)
        at
org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:141)
        at org.mortbay.jetty.Server.handle(Server.java:303)
        at
org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:452)
        at
org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:735)
        at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:636)
        at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:209)
        at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:349)
        at
org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:320)
        at
org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:475)
2007-10-08 12:48:05.833::WARN:  /simple-openid/consumer_redirect.jsp
java.lang.IllegalStateException: STREAM
        at org.mortbay.jetty.Response.getWriter(Response.java:502)
        at
org.apache.jasper.runtime.JspWriterImpl.initOut(JspWriterImpl.java:149)
        at
org.apache.jasper.runtime.JspWriterImpl.flushBuffer(JspWriterImpl.java:142)
        at
org.apache.jasper.runtime.PageContextImpl.release(PageContextImpl.java:210)
...

What version of the product are you using? On what operating system?

openid4java 0.9.4.339

Here is a patch to fix a typo that has been bothering me in a log line in
ServerManager for the last 100 revisions or so. :)

What steps will reproduce the problem?
1. apply the patch from issue #35
2. start simple-openid (mvn jetty:run)
3. connect to http://<myserver>:<myport>/simple-openid (don't use
localhost, faile also with ip address)
4. submit http://demouser.videnty.org/ as OpenID (it's a valid openid, I
could sent you the password via private mail, if required)

What is the expected output?
* to be redirected to the login page of videntity.org, like it's done if I
connect with http://localhost:8080/simple-openid

What do you see instead?
* on browser:
  openid.mode:error openid.error:Malformed trust_root:
http://<myserver>:<myport>/simple-openid/consumer_returnurl.jsp 
* on console:
  nothing (except
  log4j:WARN No appenders could be found for logger
(org.openid4java.discovery.Discovery).
  log4j:WARN Please initialize the log4j system properly.


What version of the product are you using? On what operating system?

openid4java 0.9.3

The "openid.response_nonce" prm is always generated in method 
ServerManager.authResponse(..):

return AuthSuccess.createAuthSuccess(
  opEndpoint, claimed, id, !authReq.isVersion2(),
  authReq.getReturnTo(), _nonceGenerator.next(),  // ### !!! ###
  invalidateHandle, assoc, _signList);

But next in AuthSuccess.isValid this prm will be considered as invalid.
        // nonce optional or not?
        String nonce = getNonce();
        if ( !compatibility )
        {
            if (nonce == null) return false;

            // nonce format
            InternetDateFormat _dateFormat = new InternetDateFormat();
            try
            {
                _dateFormat.parse(nonce.substring(0, 20));
            } catch (ParseException e)
            {
                return false;
            }
        } else if (nonce != null) // ### !!! ###
        {
            return false;
        }


I think the right behaviour is:

ServerManager.authResponse(..){
  return AuthSuccess.createAuthSuccess(
    opEndpoint, claimed, id, !authReq.isVersion2(),
    authReq.getReturnTo(), 
    isVersion2 ? _nonceGenerator.next() : null,  // ### !!! ###
    invalidateHandle, assoc, _signList);
}

Also in AuthSuccess constructor move call 
  setNonce(nonce);
in branch "! compatibility"

if (! compatibility)
{
  set("openid.ns", OPENID2_NS);
  setOpEndpoint(opEndpoint);
  setClaimed(claimedId);
  setNonce(nonce);             // ### !!! ###
}

What steps will reproduce the problem?
1. Create a keyValueForm string that ends in \r\n

What is the expected output? What do you see instead?

An exception is thrown for invalid key-value form


What version of the product are you using? On what operating system?

latest version pulled from SVN on 6 march

The problem will occurs during creation of Positive Assertion (in method 
AuthSuccess.createAuthSuccess) if developer doesn't call 
serverManager.setSignList(...) before.

I think ServerManager must initialize this field automatically if user 
doesn't set it. 
private String _signList = "return_to,response_nonce";

This is the log:
java.lang.NullPointerException
    at net.openid.message.AuthSuccess.getSignedText
(AuthSuccess.java:226)
    at net.openid.message.AuthSuccess.<init>(AuthSuccess.java:63)
    at net.openid.message.AuthSuccess.createAuthSuccess
(AuthSuccess.java:79)
    at net.openid.server.ServerManager.authResponse
(ServerManager.java:502)

* set version to 0.9.5-SNAPSHOT
* clean up : to have simple pom.xml (readable and maintenable)
  * remove duplication between children's pom.xml and parent's pom.xml
(groupId, version, developers, scm, ...)
  * comments scm information, must not be used by maven's plugin (normal
scm point to the root project = directory with the pom.xml for svn)
* define dependencyManagement into the parent's pom.xml to manage version
number in a central point
* change the groupId of higgins to org.eclipse.higgins (follow the convention)
* use ${groupId} and {$version} for dependency to other openid4java
children projects
* upgrade version of jetty to 6.1.6rc0 (and fix the groupId)
* remove optional dependencies of commons-logging (not mark as optional :
every logging system that could be wrapped)
* deploy higgins on a repository http://alchim.sf.net/download/snapshots/
(create pom.xml and a deploy.sh)
* deploy openid4java-0.9.4.339.jar on a repository
http://alchim.sf.net/download/releases/
* remove the build/reporting section from the children project, because
there is to many compilation error due to lake of class.

Because :
* the original project isn't split into several projects, to maintain the
include/exclude of the build will be a hard task
* the full jar isn't currently heavy 600K
* the main goal of the maven sub project is to provide a clear definition
of dependencies
Then 
* I define every dependencies of openid4java to scope provided or test,
remove compile and runtime
* other subproject are converted into "meta-project" (like meta package in
linux distro), provide an empty jar and define the required
(compile/runtime) dependencies.
* I remove the build, reporting section from "meta-project"

So maven user define a dependency of its project with the meta-project (and
not directly with openid4java (may be rename it to
openid4java-core/nodep/... to avoid bug when user will upgrade from 0.9.3
or 0.9.4)

Obviously, when the original project will be split or converted to maven,
the jar generated will be lighter and the pom will be correct and uptodate.

Todo :
* optimise dependencies (eg: does openid4java-infocard depends of
openid4java or openid4java-server ?)
* check the new pom.xml (dependencies) by a core developper
* more end user tests/feedback
* submit fix to maven central repo about 
  * openxri depencencies
  * for a pom for xmlsec-1.3.0

(the changeset is attached to issue (see tracker), it's not a patch but a
directory to install at the save level as maven2 dir, to allow install it
and test it in a parallele directory, if you prefer i could submit a patch
for maven2 directory)

Submit the attached poms to the master maven2 repository at
http://jira.codehaus.org/browse/MAVENUPLOAD

See attached.

written:
     "opneid.session_type",
shoould be 
     "openid.session_type",

Not sure what this affect, but in org.openid4java.message.DirectError line
26, it seems like the String "contat" should read "contact".

The overall function currently reads:
protected final static List optionalFields = Arrays.asList( new String[] {
            "contat",
            "reference"
    });

But seems like it should read:
 protected final static List optionalFields = Arrays.asList( new String[] {
            "contact",
            "reference"
    });

A Relying Party (RP) should generally only need 1 HTTP request during
discovery. A GET request that includes the application/xrds+xml MIME type
in an Accept header should suffice. If the result is a Yadis doc use that;
otherwise if it is HTML (or XHTML) parse that for <link rel="openid…"…>
elements.


What steps will reproduce the problem?
Using java-openid-sxip-0.9.4.339/samples/simple-openid:
1. Enter a OpenID v1.1 URL that has a <link rel="openid.server"…> element,
but no Yadis document;
2. Look at the access logs for the web server hosting the OpenID URL.

What is the expected output? What do you see instead?
I expect to see 1 GET request.
Instead I see a HEAD request followed by 2 GET requests.

What version of the product are you using? On what operating system?
java-openid-sxip-0.9.4.339
java version "1.6.0_01"
SunOS 5.9

Please provide any additional information below.
My guess is that the first HEAD is expecting a X-XRDS-Location header; the
next GET is looking for a application/xrds+xml doc; and the last GET is
looking for [X]HTML.
An initial HEAD MAY make sense if the bulk of users have Yadis docs AND
they use servers that can insert a X-XRDS-Location HTTP header but NOT do
content negotiation. This circumstance seems highly improbable.
There is no excuse for the 2 GETs. Keeping Yadis discovery and HTML
discovery code totally separate is my guess at a reason, but it is a poor
excuse.

> I think we should rename both algorithms to have the dash as they are 
> specified as such in JCE reference [2]. This will change lines 39 and 
> 40 to read: 

>     public static final String H_ALGORITHM_SHA1 = "SHA-1"; 
>     public static final String H_ALGORITHM_SHA256 = "SHA-256"; 

I saw that you made the change already, that's great. 


> I've tested this against a fresh JDK 1.5 and 1.6. Also, the build now 
> gets the green light on the build server :) [3] 

We should also test against JDK 1.4. 


> These changes should be cool with Bouncy Castle's JCE, as they seem 
> more lenient than Sun's implementation. We also won't need to include 
> JCE providers as a part of our distribution, so no need to worry about 
> the legal aspects of shipping crypto libs. 

Yes, that is a nice side effect. We should also document both 
procedures, installing the policy file or installing an alternate JCE 
library.


http://groups.google.com/group/openid4java/browse_thread/thread/
9503e06477e84a6/196c353973b92469?lnk=gst&rnum=1#196c353973b92469

Hi, i successfully installed the consumer-servlet
example(java-openid-sxip-0.9.4.339 version) on my server (tomcat 6.0).
However, when i try to execute the application, i encounter the following
error: "A Yadis Resource Descriptor URL MUST be an absolute URL and it must
be HTTP or HTTPS; found: null"

here is the application log:

5 déc. 2007 23:05:52 org.openid4java.consumer.ConsumerManager authenticate
INFO: Creating authentication request for OP-endpoint:
http://www.myopenid.com/server claimedID: http://matmin.myopenid.com/
OP-specific ID: http://matmin.myopenid.com/
5 déc. 2007 23:05:52 org.openid4java.server.RealmVerifier match
INFO: Return URL: http://localhost:8080/openid/consumer matches realm:
http://localhost:8080/openid/consumer
5 déc. 2007 23:05:52 org.openid4java.consumer.ConsumerManager verify
INFO: Verifying authentication response...
5 déc. 2007 23:05:52 org.openid4java.consumer.ConsumerManager verify
INFO: Verifying authentication response...
5 déc. 2007 23:05:53 org.openid4java.server.RealmVerifier validate
GRAVE: Discovery failed on realm: http://localhost:8080/openid/consumer
org.openid4java.discovery.yadis.YadisException: 1800: A Yadis Resource
Descriptor URL MUST be an absolute URL and it must be HTTP or HTTPS; found:
null
    at
org.openid4java.discovery.yadis.YadisResult.setXrdsLocation(YadisResult.java:111
)
    at
org.openid4java.discovery.yadis.YadisResolver.getXrds(YadisResolver.java:344)
    at
org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:251)
    at org.openid4java.discovery.Discovery.rpDiscovery(Discovery.java:646)
    at org.openid4java.server.RealmVerifier.validate(RealmVerifier.java:133)
    at org.openid4java.server.RealmVerifier.validate(RealmVerifier.java:108)
    at org.openid4java.message.AuthRequest.validate(AuthRequest.java:355)
    at org.openid4java.message.AuthRequest.createAuthRequest(AuthRequest.java:101)
    at
org.openid4java.consumer.ConsumerManager.authenticate(ConsumerManager.java:1000)
    at
org.openid4java.consumer.ConsumerManager.authenticate(ConsumerManager.java:937)
    at
org.openid4java.samples.consumerservlet.ConsumerServlet.authRequest(ConsumerServ
let.java:127)
    at
org.openid4java.samples.consumerservlet.ConsumerServlet.doPost(ConsumerServlet.j
ava:96)

---- do you have any ideas?

best regards,

---mathieu minard, [email protected]

What steps will reproduce the problem?

1.) Deploy an RP and an OP using OpenId4java.
2.) Create a regular html webpage at the OP root, with HTML rel links
pointing to the Yadis service document.

<meta http-equiv="X-XRDS-Location"
content="http://localhost:8080/yadis/yadis.xml" />
<meta http-equiv="X-YADIS-Location"
content="http://localhost:8080/yadis/yadis.xml" />

2. Attempt to do OpenId discovery by entering http://localhost:8080 into
the OpenId login box on the RP.

3. Internally, this will prompt the ConsumerManager to peform OpenId discovery.

4.) ConsumerManager (and underlying java code) will do an HTTP HEAD on the
user supplied URL.  This will fail, so a GET will be tried.  This will
return the HTML pointers to the XRDS.  

5.) net.openid.discover.Discovery, line 156 will attempt to get a
YadisResult via the YadisResolver.

6.) In YadisResolver line 287, the XRDSLocation is *not* null, so the
normalized URL never gets set (it stays null -- **this appears to be the
bug**).  

7.) Everything else about the YadisResult seems to populate ok.  The
extractDiscoveryInformation() function is called with the YadisResult's
normalizedURL as an arguement (net.openid.discovery.Discovey, Line 207). 
However, since the normalizedURL arg is null, a NullPointerException is
thrown as follows:

Caused by: java.lang.NullPointerException
    at java.net.URI$Parser.parse(URI.java:3010)
    at java.net.URI.<init>(URI.java:578)
    at net.openid.discovery.UrlIdentifier.normalize(UrlIdentifier.java:75)
    at net.openid.discovery.UrlIdentifier.<init>(UrlIdentifier.java:40)

I redo a test with samples/simple-openid.
I don't know why (I'm not an jsp user) but provider.jsp add blank at the
begin of the first line for response. So without
   if (keyValue.trim().length() == 0)
   {
       continue;
   }

into ParameterList.createFromXxx(...), an error is thrown :
>org.openid4java.message.MessageException: 256: Invalid Key-Value form,
colon missing: a.message.MessageException: 256: Invalid Key-Value form,
colon missing: 
        at
org.openid4java.message.ParameterList.createFromKeyValueForm(ParameterList.java:
186)
...

And because it's a blank problem the message isn't clear.

I agree that it is a workaround, need to manage bad server response, but
the world is not perfect. Openid4java already ignore empty line (done by
Tokeninzer), why not ignore blank line ?

I know that strictly a Yadis document shouldn't have an empty <URI> 
element. However, poorly formed documents do exist so I suggest skipping a 
service with an empty URI rather than failing altogether as it does at the 
moment. This is the approach currently taken if the contents of a URI are 
malformed.

Here's a patch to make it skip empty URI elements:

Index: 
C:/Users/tlocke/workspace/openid4java/src/org/openid4java/discovery/Discove
ry.java
===================================================================
--- 
C:/Users/tlocke/workspace/openid4java/src/org/openid4java/discovery/Discove
ry.java (revision 411)
+++ 
C:/Users/tlocke/workspace/openid4java/src/org/openid4java/discovery/Discove
ry.java (working copy)
@@ -322,6 +322,9 @@
                 } catch (MalformedURLException e)
                 {
                     continue;
+                } catch (IllegalArgumentException e)
+                {
+                   continue;
                 }

                 if (matchType(service, DiscoveryInformation.OPENID2_OP))

.../samples/simple-openid $ mvn jetty:run (as instructed by README)

[INFO] Failed to resolve artifact.

Missing:
----------
1) org.openid4java:openid4java:jar:0.9.4

  Try downloading the file manually from the project website.

  Then, install it using the command:
      mvn install:install-file -DgroupId=org.openid4java -
DartifactId=openid4java \
          -Dversion=0.9.4 -Dpackaging=jar -Dfile=/path/to/file

  Path to dependency:
        1) org.openid4java:simple-openid:war:0.9.4
        2) org.openid4java:openid4java:jar:0.9.4

----------
1 required artifact is missing.

for artifact:
  org.openid4java:simple-openid:war:0.9.4

from the specified remote repositories:
  central (http://repo1.maven.org/maven2)

What steps will reproduce the problem?
1. RP requsets auth with SRegRequest.
2. Response comes from IDP with SRegResponse which includes Korean character.
3. Vecification is failed.

[code: when requesting]
// associate, create discovery, create AuthRequest...
SRegRequest sreg = SRegRequest.createFetchRequest();
sreg.addAttribute("email", true);
sreg.addAttribute("nickname", true);
authReq.addExtension(sreg);
// redirect to IDP...

[code: when responsing]
ParameterList params = new ParameterList(request.getParameterMap());
StringBuffer recvUrl = request.getRequestURL();
String query = request.getQueryString();
if (!StringUtils.isBlank(query)) 
    recvUrl.append("?").append(query);
VerificationResult v = consumerManager.verify(recvUrl.toString(), params,
discInfo);

What is the expected output? What do you see instead?
Verification failed.

What version of the product are you using? On what operating system?
java-openid-sxip-0.9.3.265
Windows XP

Please provide any additional information below.

I changed 'sign(String)' method in 'Association.java' as followings.

    public String sign(String text) throws AssociationException
    {
        if (DEBUG) _log.debug("Computing signature for input data:\n" + text);
        try {
            return new
String(Base64.encodeBase64(sign(text.getBytes("utf-8"))), "utf-8");
        } catch (UnsupportedEncodingException e) {}
    }

and, it works well.

patch attached.

This is a problem in trunk.  I'm going against
http://whirlycott.myopenid.com/ and I'm getting these errors in my consumer:

org.apache.commons.httpclient.HttpMethodBase.processCookieHeaders(HttpMethodBase
.java:1554)
>50> Cookie rejected: "$Version=0;
session_id=0db0f1484af97f41251f690e0b98cfd5081cf1e903b215c4a77deb2efbb1539c;
$Path=/; $Domain=myopenid.com". Domain attribute "myopenid.com" violates
RFC 2109: domain must start with a dot

org.apache.commons.httpclient.HttpMethodBase.processCookieHeaders(HttpMethodBase
.java:1554)
>50> Cookie rejected: "$Version=0;
session_id=768c4e7d1255c0c3e3d3cc517b1d245e14b793390b4395d3c36b26f7cf45f18c;
$Path=/; $Domain=myopenid.com". Domain attribute "myopenid.com" violates
RFC 2109: domain must start with a dot

My solution is to add this before the consumer does it's work:

CookiePolicy.registerCookieSpec(CookiePolicy.DEFAULT, CookieSpecBase.class);

This, however, seems to be a global change that affects all instances of
httpclient in the application.  This may not be acceptable for some
applications and warrants some further testing.

Source uses "net.openid" as package-name basis. This has not been endorsed
by openid.net. 

Both the ConsumerManager and ServerManager classes should be thread-safe so
they can be used in a multi-threaded environment (like a servlet container).

might have minor fuzz around the maven build fix patch.

Contains exclusions to common-logging dependencies to avoid importing all
loggers it can possibly use, and let the user depend on one if they want
log messages instead. switches dependencies to use parent pom dependency
management for versioning and scope instead of spreading it out over the
poms. some other minor tweaks included.

What steps will reproduce the problem?
1. Create a ConsumerManager using the code at
http://code.sxip.com/openid4java/apidoc/
2. Use it as explained in the apidoc

What is the expected output? What do you see instead?
You get null pointer exceptions when verifying nonces and associations. 

What version of the product are you using? On what operating system?
java-openid-sxip-0.9.1.74.tar.gz

Please provide any additional information below.

Here's the working code:
    ConsumerManager newmgr=new ConsumerManager();
    newmgr.setAssociations(new InMemoryConsumerAssociationStore());
    newmgr.setNonceVerifier(new InMemoryNonceVerifier(5000));

I understand the ConsumerManager class has changed in subversion, but the
current packaged version is confusing.