cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-6561) ResourceOwnerGrantHandler: ResourceOwnerLoginHandler can't return null or throw exception
Date Wed, 26 Aug 2015 23:49:46 GMT

    [ https://issues.apache.org/jira/browse/CXF-6561?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14715766#comment-14715766
] 

ASF GitHub Bot commented on CXF-6561:
-------------------------------------

GitHub user karlvr opened a pull request:

    https://github.com/apache/cxf/pull/83

    [CXF-6561] [CXF-6562] ResourceOwnerGrantHandler improvements

    ResourceOwnerGrantHandler calls a customisable ResourceOwnerLoginHandler instance, however
the `createSubject(String, String)` method declares no exceptions, and a null return value
is not handled. This can possibly result in the issuing of an access token if the DataProvider
doesn't check for the null subject.
    ResourceOwnerGrantHandler.createAccessToken(...) appears to expect that the ResourceOwnerLoginHandler
will throw an `Exception` (literally any Exception), however the method signature of the ResourceOwnerLoginHandler
interface doesn't allow that.
    
    Also, ResourceOwnerGrantHandler has a setter for loginHandler but not a getter. Minor,
but perhaps we should add one for completeness?

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/karlvr/cxf resource-owner-grant

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/cxf/pull/83.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #83
    
----
commit e407bc91bb0e48bf6feb6c4b12b3c7ced87a9732
Author: Karl von Randow <karl@cactuslab.com>
Date:   2015-08-26T23:45:06Z

    [CXF-6561] ResourceOwnerGrantHandler: handle null result from loginHandler
    
    Document that ResourceOwnerLoginHandler should return null in the event that the user
credentials are not valid.
    
    There is no need to catch a RuntimeException, or any Exception, as only RuntimeExceptions
(or Errors) can be thrown by the createSubject method as it has no declared exceptions.

commit 62ebe027a7d0e24f4eca5da0fff93bcdea692776
Author: Karl von Randow <karl@cactuslab.com>
Date:   2015-08-26T23:47:36Z

    [CXF-6562] ResourceOwnerGrantHandler: add getter for loginHandler

----


> ResourceOwnerGrantHandler: ResourceOwnerLoginHandler can't return null or throw exception
> -----------------------------------------------------------------------------------------
>
>                 Key: CXF-6561
>                 URL: https://issues.apache.org/jira/browse/CXF-6561
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS Security
>    Affects Versions: 3.1.2
>            Reporter: Karl von Randow
>
> ResourceOwnerGrantHandler calls a customisable ResourceOwnerLoginHandler instance, however
the `createSubject(String, String)` method declares no exceptions, and a null return value
is not handled. This can possibly result in the issuing of an access token if the DataProvider
doesn't check for the null subject.
> ResourceOwnerGrantHandler.createAccessToken(...) appears to expect that the ResourceOwnerLoginHandler
will throw an `Exception` (literally any Exception), however the method signature of the ResourceOwnerLoginHandler
interface doesn't allow that.
> I will submit a pull request with a suggested fix.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message