[
https://issues.apache.org/jira/browse/CXF-6561?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14718421#comment-14718421
]
Sergey Beryozkin commented on CXF-6561:
---------------------------------------
Hi, I was thinking about it and I reckon your code without any exception
catches was actually better.
I remember now that the the reason AccessTokenService catches
OAuthServiceException only and not other runtime exceptions is to let users
throw something like WebApplicationException and handle that in their
WebApplicationException mappers. I vaguely recall there was a user request
where they wanted to throw WebApplicationException.
Therefore ResourceOwnerGrantHandler catch blocks are indeed redundant and
instead I need to tweak AccessTokenService a bit to make sure it lets
WebApplicationExceptions flow further and handle other runtime exceptions
locally.
> ResourceOwnerGrantHandler: ResourceOwnerLoginHandler can't return null or
> throw exception
> -----------------------------------------------------------------------------------------
>
> Key: CXF-6561
> URL: https://issues.apache.org/jira/browse/CXF-6561
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 3.1.2
> Reporter: Karl von Randow
> Assignee: Sergey Beryozkin
> Fix For: 3.1.3, 3.0.7
>
>
> ResourceOwnerGrantHandler calls a customisable ResourceOwnerLoginHandler
> instance, however the `createSubject(String, String)` method declares no
> exceptions, and a null return value is not handled. This can possibly result
> in the issuing of an access token if the DataProvider doesn't check for the
> null subject.
> ResourceOwnerGrantHandler.createAccessToken(...) appears to expect that the
> ResourceOwnerLoginHandler will throw an `Exception` (literally any
> Exception), however the method signature of the ResourceOwnerLoginHandler
> interface doesn't allow that.
> I will submit a pull request with a suggested fix.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
