[
https://issues.apache.org/jira/browse/CXF-6561?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14717001#comment-14717001
]
Sergey Beryozkin commented on CXF-6561:
---------------------------------------
Thanks for the patch, I applied a null check but kept the exception catches
with minor updates, as right now AccessTokenService handles
OAuthServiceException, other runtime exceptions will escape resulting in 500.
> ResourceOwnerGrantHandler: ResourceOwnerLoginHandler can't return null or
> throw exception
> -----------------------------------------------------------------------------------------
>
> Key: CXF-6561
> URL: https://issues.apache.org/jira/browse/CXF-6561
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 3.1.2
> Reporter: Karl von Randow
>
> ResourceOwnerGrantHandler calls a customisable ResourceOwnerLoginHandler
> instance, however the `createSubject(String, String)` method declares no
> exceptions, and a null return value is not handled. This can possibly result
> in the issuing of an access token if the DataProvider doesn't check for the
> null subject.
> ResourceOwnerGrantHandler.createAccessToken(...) appears to expect that the
> ResourceOwnerLoginHandler will throw an `Exception` (literally any
> Exception), however the method signature of the ResourceOwnerLoginHandler
> interface doesn't allow that.
> I will submit a pull request with a suggested fix.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
