cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-7264) NPE on OAuth RO/CC flows using JPA
Date Thu, 09 Mar 2017 15:06:41 GMT

    [ https://issues.apache.org/jira/browse/CXF-7264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15903175#comment-15903175
] 

ASF GitHub Bot commented on CXF-7264:
-------------------------------------

GitHub user gonzalad opened a pull request:

    https://github.com/apache/cxf/pull/242

    CXF-7264: NPE on OAuth RO/CC flows using JPA

     * UserSubject can already be an OidcUserSubject in database while
       in current request (when using RO flow) it is a UserSubject.
       Merging UserSubject produces an error.
       We fix this by avoiding merge when userSubject already exists
       in db.
     * client.subject can be null when using CC flow.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/gonzalad/cxf CXF-7264

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/cxf/pull/242.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #242
    
----
commit 3a53cc0f6a8384768250a8f5806b56b95d5fc029
Author: gonzalad <adr_gonzalez@yahoo.fr>
Date:   2017-03-03T11:51:14Z

    CXF-7264: NPE on OAuth RO/CC flows using JPA
    
     * UserSubject can already be an OidcUserSubject in database while
       in current request (when using RO flow) it is a UserSubject.
       Merging UserSubject produces an error.
       We fix this by avoiding merge when userSubject already exists
       in db.
     * client.subject can be null when using CC flow.

----


> NPE on OAuth RO/CC flows using JPA
> ----------------------------------
>
>                 Key: CXF-7264
>                 URL: https://issues.apache.org/jira/browse/CXF-7264
>             Project: CXF
>          Issue Type: Bug
>    Affects Versions: 3.1.10
>            Reporter: gonzalad
>
> *NPE on RO flow*
> I'm using the org.apache.cxf.rs.security.oauth2.grants.code.JPACMTCodeDataProvider oauthProvider.
> Whenever I call a RO flow, i.e. like :
> curl -v -X POST http://localhost:9080/oidc/oauth2/token -d "grant_type=password&username=alice&password=alice&scope=openid"
-u PMEvtbd94ca6oQ:_gSNdEM4ELeZ57h8FuVQpQ
> I get :
> {code}
> idp_1  | javax.persistence.PersistenceException: org.hibernate.WrongClassException: Object
with id: null was not of the specified subclass: org.apache.cxf.rs.security.oauth2.common.UserSubject
(class of the given object did not match class of persistent copy)
> idp_1  | 	at org.hibernate.ejb.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1387)
> idp_1  | 	at org.hibernate.ejb.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1310)
> idp_1  | 	at org.hibernate.ejb.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1316)
> idp_1  | 	at org.hibernate.ejb.AbstractEntityManagerImpl.merge(AbstractEntityManagerImpl.java:898)
> idp_1  | 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> idp_1  | 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> idp_1  | 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> idp_1  | 	at java.lang.reflect.Method.invoke(Method.java:498)
> idp_1  | 	at org.springframework.orm.jpa.SharedEntityManagerCreator$SharedEntityManagerInvocationHandler.invoke(SharedEntityManagerCreator.java:298)
> idp_1  | 	at com.sun.proxy.$Proxy73.merge(Unknown Source)
> idp_1  | 	at org.apache.cxf.rs.security.oauth2.provider.JPAOAuthDataProvider$12.execute(JPAOAuthDataProvider.java:270)
> idp_1  | 	at org.apache.cxf.rs.security.oauth2.provider.JPAOAuthDataProvider$12.execute(JPAOAuthDataProvider.java:251)
> idp_1  | 	at org.apache.cxf.rs.security.oauth2.provider.JPAOAuthDataProvider.executeInTransaction(JPAOAuthDataProvider.java:88)
> idp_1  | 	at org.apache.cxf.rs.security.oauth2.provider.JPAOAuthDataProvider.saveAccessToken(JPAOAuthDataProvider.java:251)
> idp_1  | 	at org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthDataProvider.createAccessToken(AbstractOAuthDataProvider.java:64)
> idp_1  | 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> idp_1  | 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> idp_1  | 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> idp_1  | 	at java.lang.reflect.Method.invoke(Method.java:498)
> idp_1  | 	at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:333)
> idp_1  | 	at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190)
> idp_1  | 	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
> idp_1  | 	at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
> idp_1  | 	at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:282)
> idp_1  | 	at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
> idp_1  | 	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
> idp_1  | 	at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:92)
> idp_1  | 	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
> idp_1  | 	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213)
> idp_1  | 	at com.sun.proxy.$Proxy74.createAccessToken(Unknown Source)
> {code}
> This comes from LOC : 
> sub1 = (UserSubject)em.merge(serverToken.getSubject());
> It returns serverToken.getSubject() and the subject in db are of different types and
merge fails :
> serverToken.getSubject()
> 	class org.apache.cxf.rs.security.oauth2.common.UserSubject
> em.find(UserSubject.class, serverToken.getSubject().getId())
> 	class org.apache.cxf.rs.security.oidc.idp.OidcUserSubject
> *NPE on CC flow*
> Whenever I use a Client Credentials flow, i.e. like :
> curl -u PMEvtbd94ca6oQ:_gSNdEM4ELeZ57h8FuVQpQ http://localhost:9080/oidc/oauth2/token
-d 'grant_type=client_credentials'
> I get a NPE in JPAOAuthDataProvider#saveAccessToken, because serverToken.getSubject()
is null when using CC flow.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message