[jira] [Resolved] (CXF-5092) RequestTokenService signature verification bug [OAuthUtils]

Thu, 27 Jun 2013 02:02:48 -0700 

     [ 
https://issues.apache.org/jira/browse/CXF-5092?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sergey Beryozkin resolved CXF-5092.
-----------------------------------

       Resolution: Fixed
    Fix Version/s: 3.0.0
                   2.7.6
                   2.6.9
                   2.5.11
         Assignee: Sergey Beryozkin

Was fixed as per your suggestion, thanks
                
> RequestTokenService signature verification bug [OAuthUtils]
> -----------------------------------------------------------
>
>                 Key: CXF-5092
>                 URL: https://issues.apache.org/jira/browse/CXF-5092
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS Security
>    Affects Versions: 2.7.5
>            Reporter: vdveer
>            Assignee: Sergey Beryozkin
>            Priority: Minor
>              Labels: patch
>             Fix For: 2.5.11, 2.6.9, 2.7.6, 3.0.0
>
>   Original Estimate: 0.5h
>  Remaining Estimate: 0.5h
>
> When accessing the RequestTokenService of the cxf-rt-rs-security-oauth 
> framework, consumer key and secret will be used to validate the signature of 
> the sent message. When signature fails (ie. wrong clientsecret), an exception 
> is thrown and catched, but since the actual requesttoken is null at that 
> time, the exception is not thrown any further and the requesttoken will be 
> generated afterwards and passed to the connected client even when the 
> signature verification failed. See snippet of the OAuthUtils class.
> [2.7.5 - lines 107-114]
> try {
>             validator.validateMessage(oAuthMessage, accessor);
>         } catch (Exception ex) {
>             if (token != null) {
>                 provider.removeToken(token);
>                 throw ex;
>             }
> }
> If I'm correct, a possible solution will be to move the throw exception 
> statement out of the if statement so that in case of catched exception it's 
> always thrown further.
> This is a minor bug, since in the next oauth step the signature verification 
> will fail and since the token will not be null in this case, the exception is 
> thrown the oauth flow will end unsuccesful. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to