Repository: cxf Updated Branches: refs/heads/3.0.x-fixes 3fb7debb0 -> f18b8694d
[CXF-6559] Avoiding NPE in AbstractOAuthDataProvider.refreshAccessToken Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/f18b8694 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/f18b8694 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/f18b8694 Branch: refs/heads/3.0.x-fixes Commit: f18b8694d2c7bae3f36d133985182594a6e28445 Parents: 3fb7deb Author: Sergey Beryozkin <[email protected]> Authored: Wed Aug 26 12:09:48 2015 +0100 Committer: Sergey Beryozkin <[email protected]> Committed: Wed Aug 26 12:11:10 2015 +0100 ---------------------------------------------------------------------- .../rs/security/oauth2/provider/AbstractOAuthDataProvider.java | 5 ++++- .../oauth2/provider/DefaultEncryptingOAuthDataProvider.java | 6 +++++- 2 files changed, 9 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/f18b8694/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java index 20a4774..accd4af 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java @@ -51,7 +51,10 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider { @Override public ServerAccessToken refreshAccessToken(Client client, String refreshTokenKey, List<String> restrictedScopes) throws OAuthServiceException { - RefreshToken oldRefreshToken = revokeRefreshAndAccessTokens(client, refreshTokenKey); + RefreshToken oldRefreshToken = revokeRefreshAndAccessTokens(client, refreshTokenKey); + if (oldRefreshToken == null) { + throw new OAuthServiceException(OAuthConstants.ACCESS_DENIED); + } return doRefreshAccessToken(client, oldRefreshToken, restrictedScopes); } http://git-wip-us.apache.org/repos/asf/cxf/blob/f18b8694/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEncryptingOAuthDataProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEncryptingOAuthDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEncryptingOAuthDataProvider.java index eae9120..d033b1f 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEncryptingOAuthDataProvider.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/DefaultEncryptingOAuthDataProvider.java @@ -109,7 +109,11 @@ public class DefaultEncryptingOAuthDataProvider extends AbstractOAuthDataProvide @Override protected RefreshToken revokeRefreshToken(Client client, String refreshTokenKey) { refreshTokens.remove(refreshTokenKey); - return ModelEncryptionSupport.decryptRefreshToken(this, refreshTokenKey, key); + try { + return ModelEncryptionSupport.decryptRefreshToken(this, refreshTokenKey, key); + } catch (SecurityException ex) { + throw new OAuthServiceException(OAuthConstants.ACCESS_DENIED, ex); + } } private void encryptAccessToken(ServerAccessToken token) {
