[jira] [Resolved] (CXF-4318) OAuthRequestFilter generates an empty WWW-Authenticate header

Tue, 15 May 2012 13:39:32 -0700 

     [ 
https://issues.apache.org/jira/browse/CXF-4318?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sergey Beryozkin resolved CXF-4318.
-----------------------------------

       Resolution: Fixed
    Fix Version/s: 2.6.1
         Assignee: Sergey Beryozkin

only 401 is returned when no challenges are available, see

http://svn.apache.org/viewvc?rev=1338879&view=rev
                
> OAuthRequestFilter generates an empty WWW-Authenticate header
> -------------------------------------------------------------
>
>                 Key: CXF-4318
>                 URL: https://issues.apache.org/jira/browse/CXF-4318
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS Security
>    Affects Versions: 2.6
>            Reporter: Jordi Torrente
>            Assignee: Sergey Beryozkin
>              Labels: oauth2
>             Fix For: 2.6.1
>
>
> When using OAuthRequestFilter to protect a resource if we don't set any 
> member for its "tokenHandlers" list, a request without an "Authorization" 
> header will generate a response like:
> Response-Code: 401
> Content-Type: text/xml
> Headers: {WWW-Authenticate=[], Date=[Tue, 15 May 2012 15:27:43 GMT], 
> Content-Length=[0]}
> And when trying to process it at the client layer a 
> "java.lang.IllegalArgumentException" will be thrown:
> URL uri = new URL("http://SomeFilteredResource";);
> HttpURLConnection conn = (HttpURLConnection)uri.openConnection();
> int code = conn.getResponseCode();
> Receives:
> java.lang.RuntimeException: java.lang.IllegalArgumentException: invalid start 
> or end
>       at 
> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1137)
>       at 
> sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:2338)
>       at 
> java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:388)
>       
> I suppose the reason could be the empty "WWW-Authenticate" header's value, so 
> the method AuthorizationUtils.throwAuthorizationFailure() should be fixed to 
> avoid this situation
> Regards

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to