[
https://issues.apache.org/jira/browse/CXF-4337?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13283229#comment-13283229
]
Jordi Torrente commented on CXF-4337:
-------------------------------------
You're welcome Sergey :)
Yes, I implemented a custom refresh_token grant and I assigned
"OAuthConstants.REFRESH_TOKEN_GRANT" as its type, so AccessTokenService uses
your default handler to process it. For the time being I haven't needed an
special handler but having the possibility to register a custom one is a great
option.
Thanks & regards
> A NullPointerException is thrown during token validation
> --------------------------------------------------------
>
> Key: CXF-4337
> URL: https://issues.apache.org/jira/browse/CXF-4337
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.6
> Reporter: Jordi Torrente
> Assignee: Sergey Beryozkin
> Labels: oauth2
> Fix For: 2.6.1
>
>
> If we build a request Authorization header using a renewed token, a
> NullPointerException can raise (at server tier) when trying to validate it:
> java.lang.NullPointerException
> at
> org.apache.cxf.rs.security.oauth2.common.AccessTokenValidation.<init>(AccessTokenValidation.java:53)
> at
> org.apache.cxf.rs.security.oauth2.services.AbstractAccessTokenValidator.getAccessTokenValidation(AbstractAccessTokenValidator.java:117)
>
> AbstractAccessTokenValidator: if there are no registered handlers to process
> the token, the code will use the injected dataprovider to get the
> corresponding token instance, but this returned object can be null (for
> example if the token has been renewed and the dataprovider has removed all
> its information), therefore AccessTokenValidation constructor will throw a
> NullPointerException
> try {
> localAccessToken = dataProvider.getAccessToken(authSchemeData);
> accessTokenV = new AccessTokenValidation(localAccessToken);
> } catch (OAuthServiceException ex) {
> AuthorizationUtils.throwAuthorizationFailure(
> Collections.singleton(authScheme));
> }
> So it would be useful to check localAccessToken value before passing it to
> AccessTokenValidation constructor, for example:
> try {
> localAccessToken = dataProvider.getAccessToken(authSchemeData);
> if (localAccessToken == null) {
> AuthorizationUtils.throwAuthorizationFailure(supportedSchemes);
> }
>
> accessTokenV = new AccessTokenValidation(localAccessToken);
> } catch (OAuthServiceException ex) {
> AuthorizationUtils.throwAuthorizationFailure(
> Collections.singleton(authScheme));
> }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
