[jira] [Created] (CXF-4337) A NullPointerException is thrown during token validation

Wed, 23 May 2012 10:01:46 -0700 

Jordi Torrente created CXF-4337:
-----------------------------------

             Summary: A NullPointerException is thrown during token validation
                 Key: CXF-4337
                 URL: https://issues.apache.org/jira/browse/CXF-4337
             Project: CXF
          Issue Type: Bug
          Components: JAX-RS Security
    Affects Versions: 2.6
            Reporter: Jordi Torrente


If we build a request Authorization header using a renewed token, a 
NullPointerException can raise (at server tier) when trying to validate it:

java.lang.NullPointerException
        at 
org.apache.cxf.rs.security.oauth2.common.AccessTokenValidation.<init>(AccessTokenValidation.java:53)
        at 
org.apache.cxf.rs.security.oauth2.services.AbstractAccessTokenValidator.getAccessTokenValidation(AbstractAccessTokenValidator.java:117)
        
AbstractAccessTokenValidator: if there are no registered handlers to process 
the token, the code will use the injected dataprovider to get the corresponding 
token instance, but this returned object can be null (for example if the token 
has been renewed and the dataprovider has removed all its information), 
therefore AccessTokenValidation constructor will throw a NullPointerException

    try {
        localAccessToken = dataProvider.getAccessToken(authSchemeData);
        accessTokenV = new AccessTokenValidation(localAccessToken);
    } catch (OAuthServiceException ex) {
        AuthorizationUtils.throwAuthorizationFailure(
            Collections.singleton(authScheme));
    }

So it would be useful to check localAccessToken value before passing it to 
AccessTokenValidation constructor, for example:

try {
    localAccessToken = dataProvider.getAccessToken(authSchemeData);

    if (localAccessToken == null) {
        AuthorizationUtils.throwAuthorizationFailure(supportedSchemes);
    }
        
    accessTokenV = new AccessTokenValidation(localAccessToken);
} catch (OAuthServiceException ex) {
    AuthorizationUtils.throwAuthorizationFailure(
        Collections.singleton(authScheme));
}


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to