cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jordi Torrente (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-4337) A NullPointerException is thrown during token validation
Date Fri, 25 May 2012 09:12:23 GMT

    [ https://issues.apache.org/jira/browse/CXF-4337?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13283229#comment-13283229
] 

Jordi Torrente commented on CXF-4337:
-------------------------------------

You're welcome Sergey :)

Yes, I implemented a custom refresh_token grant and I assigned "OAuthConstants.REFRESH_TOKEN_GRANT"
as its type, so AccessTokenService uses your default handler to process it. For the time being
I haven't needed an special handler but having the possibility to register a custom one is
a great option.

Thanks & regards
                
> A NullPointerException is thrown during token validation
> --------------------------------------------------------
>
>                 Key: CXF-4337
>                 URL: https://issues.apache.org/jira/browse/CXF-4337
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS Security
>    Affects Versions: 2.6
>            Reporter: Jordi Torrente
>            Assignee: Sergey Beryozkin
>              Labels: oauth2
>             Fix For: 2.6.1
>
>
> If we build a request Authorization header using a renewed token, a NullPointerException
can raise (at server tier) when trying to validate it:
> java.lang.NullPointerException
> 	at org.apache.cxf.rs.security.oauth2.common.AccessTokenValidation.<init>(AccessTokenValidation.java:53)
> 	at org.apache.cxf.rs.security.oauth2.services.AbstractAccessTokenValidator.getAccessTokenValidation(AbstractAccessTokenValidator.java:117)
> 	
> AbstractAccessTokenValidator: if there are no registered handlers to process the token,
the code will use the injected dataprovider to get the corresponding token instance, but this
returned object can be null (for example if the token has been renewed and the dataprovider
has removed all its information), therefore AccessTokenValidation constructor will throw a
NullPointerException
>     try {
>         localAccessToken = dataProvider.getAccessToken(authSchemeData);
>         accessTokenV = new AccessTokenValidation(localAccessToken);
>     } catch (OAuthServiceException ex) {
>         AuthorizationUtils.throwAuthorizationFailure(
>             Collections.singleton(authScheme));
>     }
> So it would be useful to check localAccessToken value before passing it to AccessTokenValidation
constructor, for example:
> try {
>     localAccessToken = dataProvider.getAccessToken(authSchemeData);
>     if (localAccessToken == null) {
> 	AuthorizationUtils.throwAuthorizationFailure(supportedSchemes);
>     }
> 	
>     accessTokenV = new AccessTokenValidation(localAccessToken);
> } catch (OAuthServiceException ex) {
>     AuthorizationUtils.throwAuthorizationFailure(
>         Collections.singleton(authScheme));
> }

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message