cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel Kulp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-4427) Error details are discarded and never sent to the client
Date Mon, 16 Jul 2012 16:50:35 GMT

    [ https://issues.apache.org/jira/browse/CXF-4427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13415373#comment-13415373
] 

Daniel Kulp commented on CXF-4427:
----------------------------------

This would likely need to be completely optional and turned OFF by default.  Any details about
errors surrounding security issue should not be sent back to the client by default to avoid
sending information that can help create new attack vectors.

                
> Error details are discarded and never sent to the client
> --------------------------------------------------------
>
>                 Key: CXF-4427
>                 URL: https://issues.apache.org/jira/browse/CXF-4427
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS Security
>    Affects Versions: 2.7.0
>            Reporter: Jordi Torrente
>              Labels: oauth2
>
> Current AccessTokenService implementation catches all OAuthServiceExceptions and returns
a generic error response discarding all the exception details:
>         ServerAccessToken serverToken = null;
>         try {
>             serverToken = handler.createAccessToken(client, params);
>         } catch (OAuthServiceException ex) {
>             // the error response is to be returned next
>         }
>         if (serverToken == null) {
>             return createErrorResponse(params, OAuthConstants.INVALID_GRANT);
>         }
> I think it would be more useful to create the OAuthError object to return using the exception's
message, in order to receive the error code/details at the client layer

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message