[
https://issues.apache.org/jira/browse/CXF-4427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13415373#comment-13415373
]
Daniel Kulp commented on CXF-4427:
----------------------------------
This would likely need to be completely optional and turned OFF by default.
Any details about errors surrounding security issue should not be sent back to
the client by default to avoid sending information that can help create new
attack vectors.
> Error details are discarded and never sent to the client
> --------------------------------------------------------
>
> Key: CXF-4427
> URL: https://issues.apache.org/jira/browse/CXF-4427
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.7.0
> Reporter: Jordi Torrente
> Labels: oauth2
>
> Current AccessTokenService implementation catches all OAuthServiceExceptions
> and returns a generic error response discarding all the exception details:
> ServerAccessToken serverToken = null;
> try {
> serverToken = handler.createAccessToken(client, params);
> } catch (OAuthServiceException ex) {
> // the error response is to be returned next
> }
> if (serverToken == null) {
> return createErrorResponse(params, OAuthConstants.INVALID_GRANT);
> }
> I think it would be more useful to create the OAuthError object to return
> using the exception's message, in order to receive the error code/details at
> the client layer
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
