[jira] [Resolved] (CXF-4337) A NullPointerException is thrown during token validation

Thu, 24 May 2012 14:24:15 -0700 

     [ 
https://issues.apache.org/jira/browse/CXF-4337?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sergey Beryozkin resolved CXF-4337.
-----------------------------------

       Resolution: Fixed
    Fix Version/s: 2.6.1
         Assignee: Sergey Beryozkin

Thanks for catching the issue early.
By the way, are you planning to use a refresh_token grant to get a new token 
for a client ? I added a default handler for that, but I guess a custom handler 
can also be registered 
                
> A NullPointerException is thrown during token validation
> --------------------------------------------------------
>
>                 Key: CXF-4337
>                 URL: https://issues.apache.org/jira/browse/CXF-4337
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS Security
>    Affects Versions: 2.6
>            Reporter: Jordi Torrente
>            Assignee: Sergey Beryozkin
>              Labels: oauth2
>             Fix For: 2.6.1
>
>
> If we build a request Authorization header using a renewed token, a 
> NullPointerException can raise (at server tier) when trying to validate it:
> java.lang.NullPointerException
>       at 
> org.apache.cxf.rs.security.oauth2.common.AccessTokenValidation.<init>(AccessTokenValidation.java:53)
>       at 
> org.apache.cxf.rs.security.oauth2.services.AbstractAccessTokenValidator.getAccessTokenValidation(AbstractAccessTokenValidator.java:117)
>       
> AbstractAccessTokenValidator: if there are no registered handlers to process 
> the token, the code will use the injected dataprovider to get the 
> corresponding token instance, but this returned object can be null (for 
> example if the token has been renewed and the dataprovider has removed all 
> its information), therefore AccessTokenValidation constructor will throw a 
> NullPointerException
>     try {
>         localAccessToken = dataProvider.getAccessToken(authSchemeData);
>         accessTokenV = new AccessTokenValidation(localAccessToken);
>     } catch (OAuthServiceException ex) {
>         AuthorizationUtils.throwAuthorizationFailure(
>             Collections.singleton(authScheme));
>     }
> So it would be useful to check localAccessToken value before passing it to 
> AccessTokenValidation constructor, for example:
> try {
>     localAccessToken = dataProvider.getAccessToken(authSchemeData);
>     if (localAccessToken == null) {
>       AuthorizationUtils.throwAuthorizationFailure(supportedSchemes);
>     }
>       
>     accessTokenV = new AccessTokenValidation(localAccessToken);
> } catch (OAuthServiceException ex) {
>     AuthorizationUtils.throwAuthorizationFailure(
>         Collections.singleton(authScheme));
> }

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to