[
https://issues.apache.org/jira/browse/CXF-6561?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14715766#comment-14715766
]
ASF GitHub Bot commented on CXF-6561:
-------------------------------------
GitHub user karlvr opened a pull request:
https://github.com/apache/cxf/pull/83
[CXF-6561] [CXF-6562] ResourceOwnerGrantHandler improvements
ResourceOwnerGrantHandler calls a customisable ResourceOwnerLoginHandler
instance, however the `createSubject(String, String)` method declares no
exceptions, and a null return value is not handled. This can possibly result in
the issuing of an access token if the DataProvider doesn't check for the null
subject.
ResourceOwnerGrantHandler.createAccessToken(...) appears to expect that the
ResourceOwnerLoginHandler will throw an `Exception` (literally any Exception),
however the method signature of the ResourceOwnerLoginHandler interface doesn't
allow that.
Also, ResourceOwnerGrantHandler has a setter for loginHandler but not a
getter. Minor, but perhaps we should add one for completeness?
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/karlvr/cxf resource-owner-grant
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/cxf/pull/83.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #83
----
commit e407bc91bb0e48bf6feb6c4b12b3c7ced87a9732
Author: Karl von Randow <[email protected]>
Date: 2015-08-26T23:45:06Z
[CXF-6561] ResourceOwnerGrantHandler: handle null result from loginHandler
Document that ResourceOwnerLoginHandler should return null in the event
that the user credentials are not valid.
There is no need to catch a RuntimeException, or any Exception, as only
RuntimeExceptions (or Errors) can be thrown by the createSubject method as it
has no declared exceptions.
commit 62ebe027a7d0e24f4eca5da0fff93bcdea692776
Author: Karl von Randow <[email protected]>
Date: 2015-08-26T23:47:36Z
[CXF-6562] ResourceOwnerGrantHandler: add getter for loginHandler
----
> ResourceOwnerGrantHandler: ResourceOwnerLoginHandler can't return null or
> throw exception
> -----------------------------------------------------------------------------------------
>
> Key: CXF-6561
> URL: https://issues.apache.org/jira/browse/CXF-6561
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 3.1.2
> Reporter: Karl von Randow
>
> ResourceOwnerGrantHandler calls a customisable ResourceOwnerLoginHandler
> instance, however the `createSubject(String, String)` method declares no
> exceptions, and a null return value is not handled. This can possibly result
> in the issuing of an access token if the DataProvider doesn't check for the
> null subject.
> ResourceOwnerGrantHandler.createAccessToken(...) appears to expect that the
> ResourceOwnerLoginHandler will throw an `Exception` (literally any
> Exception), however the method signature of the ResourceOwnerLoginHandler
> interface doesn't allow that.
> I will submit a pull request with a suggested fix.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
