[
https://issues.apache.org/jira/browse/TOMEE-4620?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Markus Jung updated TOMEE-4620:
-------------------------------
Fix Version/s: 10.1.6
11.0.0
> Misspelled field accesToken in OIDC TokenResponse prevents interoperability
> with custom JSON providers (Jackson)
> ----------------------------------------------------------------------------------------------------------------
>
> Key: TOMEE-4620
> URL: https://issues.apache.org/jira/browse/TOMEE-4620
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Core Server
> Affects Versions: 11.0.0-M1, 10.1.5
> Reporter: Jason
> Assignee: Markus Jung
> Priority: Major
> Fix For: 10.1.6, 11.0.0
>
>
> In the Jakarta Security OpenID Connect implementation, the class
> {{org.apache.tomee.security.http.openid.model.TokenResponse}} contains a
> spelling error in both its field definition and its getter method. The word
> "access" is misspelled with a single "s" as {{{}accesToken{}}}.
> While this typo is masked when using the default JSON-B provider (Apache
> Johnzon) because it honours the
> {{@JsonbProperty(OpenIdConstant.ACCESS_TOKEN)}} annotation during
> deserialisation, it breaks interoperability when an application swaps or
> registers a global custom provider tier, such as Jackson or an alternative
> ObjectMapper engine.
> Because Jackson and other standard mapping engines natively translate the
> Java field name {{accesToken}} into snake-case as {{{}acces_token{}}}, they
> fail to bind the standard OIDC incoming JSON payload property
> {{access_token}} (spelled with two 's' characters). This results in the field
> being bound as {{{}null{}}}.
> Downstream, this silent {{null}} binding leads to an unhandled
> {{NullPointerException}} inside TomEE's security lifecycle validation engine
> when it attempts to run sequence-checks on the token (e.g., calling
> {{.startsWith()}} on a null reference):
>
> {quote}{{WARNING [http-nio-8080-exec-3]
> org.apache.tomee.security.cdi.openid.OpenIdIdentityStore.createAccessToken
> access_token is invalid: JWT processing failed.
> Additional details: [[17] Unexpected exception encountered while processing
> JOSE object (cause: java.lang.NullPointerException: Cannot invoke
> "String.startsWith(String)" because "cs" is null): null]}}{quote}
> *Proposed Fix:*
> # Rename the internal field variable from {{accesToken}} to
> {{{}accessToken{}}}.
> # Rename the accompanying public getter method from {{getAccesToken()}} to
> {{{}getAccessToken(){}}}.
> *Additional Note:*
> Although unrelated to my issue with the above, I also noted the same
> misspelling in the class name:
> org.apache.tomee.security.http.openid.model.TomEEAccesToken (missing the "s"
> and should be *TomEEAccessToken*
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)