[
https://issues.apache.org/jira/browse/CXF-6559?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sergey Beryozkin resolved CXF-6559.
-----------------------------------
Resolution: Fixed
Assignee: Sergey Beryozkin
Fix Version/s: 3.0.7
3.1.3
http://git-wip-us.apache.org/repos/asf/cxf/commit/5cf43ce7
thanks
> AbstractOAuthDataProvider.refreshAccessToken method can't handle an invalid
> refresh token
> -----------------------------------------------------------------------------------------
>
> Key: CXF-6559
> URL: https://issues.apache.org/jira/browse/CXF-6559
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 3.1.2
> Reporter: Karl von Randow
> Assignee: Sergey Beryozkin
> Fix For: 3.1.3, 3.0.7
>
>
> The refreshAccessToken method calls revokeRefreshAndAccessTokens, which calls
> revokeRefreshToken, which is an abstract method which declares no exceptions.
> Implementations assume that the method will return null if the refresh token
> doesn't exist (see the DefaultEHCacheOAuthDataProvider, although the
> DefaultEncryptingOAuthDataProvider implementation may throw a
> SecurityException in that case as it can't really / doesn't support revoking).
> However if a null is returned, refreshAccessToken passes that null to
> doRefreshAccessToken which will then fail with a NullPointerException.
> I suggest that refreshAccessToken check for a null refresh token and throws
> an OAuthServiceException, possibly with OAuthConstants.ACCESS_DENIED.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
