cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (CXF-4337) A NullPointerException is thrown during token validation
Date Thu, 24 May 2012 21:24:13 GMT

     [ https://issues.apache.org/jira/browse/CXF-4337?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Sergey Beryozkin resolved CXF-4337.
-----------------------------------

       Resolution: Fixed
    Fix Version/s: 2.6.1
         Assignee: Sergey Beryozkin

Thanks for catching the issue early.
By the way, are you planning to use a refresh_token grant to get a new token for a client
? I added a default handler for that, but I guess a custom handler can also be registered

                
> A NullPointerException is thrown during token validation
> --------------------------------------------------------
>
>                 Key: CXF-4337
>                 URL: https://issues.apache.org/jira/browse/CXF-4337
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS Security
>    Affects Versions: 2.6
>            Reporter: Jordi Torrente
>            Assignee: Sergey Beryozkin
>              Labels: oauth2
>             Fix For: 2.6.1
>
>
> If we build a request Authorization header using a renewed token, a NullPointerException
can raise (at server tier) when trying to validate it:
> java.lang.NullPointerException
> 	at org.apache.cxf.rs.security.oauth2.common.AccessTokenValidation.<init>(AccessTokenValidation.java:53)
> 	at org.apache.cxf.rs.security.oauth2.services.AbstractAccessTokenValidator.getAccessTokenValidation(AbstractAccessTokenValidator.java:117)
> 	
> AbstractAccessTokenValidator: if there are no registered handlers to process the token,
the code will use the injected dataprovider to get the corresponding token instance, but this
returned object can be null (for example if the token has been renewed and the dataprovider
has removed all its information), therefore AccessTokenValidation constructor will throw a
NullPointerException
>     try {
>         localAccessToken = dataProvider.getAccessToken(authSchemeData);
>         accessTokenV = new AccessTokenValidation(localAccessToken);
>     } catch (OAuthServiceException ex) {
>         AuthorizationUtils.throwAuthorizationFailure(
>             Collections.singleton(authScheme));
>     }
> So it would be useful to check localAccessToken value before passing it to AccessTokenValidation
constructor, for example:
> try {
>     localAccessToken = dataProvider.getAccessToken(authSchemeData);
>     if (localAccessToken == null) {
> 	AuthorizationUtils.throwAuthorizationFailure(supportedSchemes);
>     }
> 	
>     accessTokenV = new AccessTokenValidation(localAccessToken);
> } catch (OAuthServiceException ex) {
>     AuthorizationUtils.throwAuthorizationFailure(
>         Collections.singleton(authScheme));
> }

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message