[ https://issues.apache.org/jira/browse/CXF-6558?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh closed CXF-6558. ------------------------------------ > DefaultEncryptingOAuthDataProvider.getAccessToken throws SecurityException on > invalid accessToken format > -------------------------------------------------------------------------------------------------------- > > Key: CXF-6558 > URL: https://issues.apache.org/jira/browse/CXF-6558 > Project: CXF > Issue Type: Bug > Components: JAX-RS Security > Affects Versions: 3.1.2 > Reporter: Karl von Randow > Assignee: Sergey Beryozkin > Priority: Minor > Fix For: 3.1.3, 3.0.7 > > > The `DefaultEncryptingOAuthDataProvider.getAccessToken` method calls > `ModelEncryptionSupport.decryptAccessToken` which throws a SecurityException > if the input doesn't match they crypto algorithm's desired input. This > results in a server error. > I suggest that this method should catch the SecurityException and instead > throw an OAuthServiceException, as specified by the signature of > `getAccessToken`. > e.g. `throw new OAuthServiceException(OAuthConstants.ACCESS_DENIED, e);` > This would enable invalid access tokens to be rejected cleanly back to the > client. I am happy to provide a patch for this issue. -- This message was sent by Atlassian JIRA (v6.3.4#6332)