cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "vdveer (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CXF-5092) RequestTokenService signature verification bug [OAuthUtils]
Date Wed, 26 Jun 2013 10:41:20 GMT
vdveer created CXF-5092:
---------------------------

             Summary: RequestTokenService signature verification bug [OAuthUtils]
                 Key: CXF-5092
                 URL: https://issues.apache.org/jira/browse/CXF-5092
             Project: CXF
          Issue Type: Bug
          Components: JAX-RS Security
    Affects Versions: 2.7.5
            Reporter: vdveer
            Priority: Minor


When accessing the RequestTokenService of the cxf-rt-rs-security-oauth framework, consumer
key and secret will be used to validate the signature of the sent message. When signature
fails (ie. wrong clientsecret), an exception is thrown and catched, but since the actual requesttoken
is null at that time, the exception is not thrown any further and the requesttoken will be
generated afterwards and passed to the connected client even when the signature verification
failed. See snippet.

try {
            validator.validateMessage(oAuthMessage, accessor);
        } catch (Exception ex) {
            if (token != null) {
                provider.removeToken(token);
                throw ex;
            }
}

If I'm correct, a possible solution will be to move the throw exception statement out of the
if statement so that in case of catched exception it's always thrown further.

This is a minor bug, since in the next oauth step the signature verification will fail and
since the token will not be null in this case, the exception is thrown the oauth flow will
end unsuccesful. 


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message