[ https://issues.apache.org/jira/browse/CXF-6561?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh closed CXF-6561. ------------------------------------ > ResourceOwnerGrantHandler: ResourceOwnerLoginHandler can't return null or > throw exception > ----------------------------------------------------------------------------------------- > > Key: CXF-6561 > URL: https://issues.apache.org/jira/browse/CXF-6561 > Project: CXF > Issue Type: Bug > Components: JAX-RS Security > Affects Versions: 3.1.2 > Reporter: Karl von Randow > Assignee: Sergey Beryozkin > Fix For: 3.1.3, 3.0.7 > > > ResourceOwnerGrantHandler calls a customisable ResourceOwnerLoginHandler > instance, however the `createSubject(String, String)` method declares no > exceptions, and a null return value is not handled. This can possibly result > in the issuing of an access token if the DataProvider doesn't check for the > null subject. > ResourceOwnerGrantHandler.createAccessToken(...) appears to expect that the > ResourceOwnerLoginHandler will throw an `Exception` (literally any > Exception), however the method signature of the ResourceOwnerLoginHandler > interface doesn't allow that. > I will submit a pull request with a suggested fix. -- This message was sent by Atlassian JIRA (v6.3.4#6332)