[
https://issues.apache.org/jira/browse/CXF-6561?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14717874#comment-14717874
]
Karl von Randow commented on CXF-6561:
--------------------------------------
Brilliant, and perfect. Thank you.
> ResourceOwnerGrantHandler: ResourceOwnerLoginHandler can't return null or
> throw exception
> -----------------------------------------------------------------------------------------
>
> Key: CXF-6561
> URL: https://issues.apache.org/jira/browse/CXF-6561
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 3.1.2
> Reporter: Karl von Randow
> Assignee: Sergey Beryozkin
> Fix For: 3.1.3, 3.0.7
>
>
> ResourceOwnerGrantHandler calls a customisable ResourceOwnerLoginHandler
> instance, however the `createSubject(String, String)` method declares no
> exceptions, and a null return value is not handled. This can possibly result
> in the issuing of an access token if the DataProvider doesn't check for the
> null subject.
> ResourceOwnerGrantHandler.createAccessToken(...) appears to expect that the
> ResourceOwnerLoginHandler will throw an `Exception` (literally any
> Exception), however the method signature of the ResourceOwnerLoginHandler
> interface doesn't allow that.
> I will submit a pull request with a suggested fix.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
