Colm O hEigeartaigh closed CXF-6559.

> AbstractOAuthDataProvider.refreshAccessToken method can't handle an invalid 
> refresh token
> -----------------------------------------------------------------------------------------
>                 Key: CXF-6559
>                 URL: https://issues.apache.org/jira/browse/CXF-6559
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS Security
>    Affects Versions: 3.1.2
>            Reporter: Karl von Randow
>            Assignee: Sergey Beryozkin
>             Fix For: 3.1.3, 3.0.7
> The refreshAccessToken method calls revokeRefreshAndAccessTokens, which calls 
> revokeRefreshToken, which is an abstract method which declares no exceptions.
> Implementations assume that the method will return null if the refresh token 
> doesn't exist (see the DefaultEHCacheOAuthDataProvider, although the 
> DefaultEncryptingOAuthDataProvider implementation may throw a 
> SecurityException in that case as it can't really / doesn't support revoking).
> However if a null is returned, refreshAccessToken passes that null to 
> doRefreshAccessToken which will then fail with a NullPointerException.
> I suggest that refreshAccessToken check for a null refresh token and throws 
> an OAuthServiceException, possibly with OAuthConstants.ACCESS_DENIED. 

This message was sent by Atlassian JIRA

Reply via email to