Actually, I think just sticking a null check in there works fine. No need to
throw an exception. With the check, the policy would not be asserted and
when the policy is checked later, an exception would be thrown.
Just committed to trunk.
Dan
On Tuesday 10 August 2010 9:17:08 am Michael Kleinhenz wrote:
> Hi,
>
> I have a CXF SOAP service configured to require a SAML token. If I try
> to access that service without a token, the server throws a NPE:
>
> java.lang.NullPointerException
> at
> org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvid
> er$IssuedTokenInInterceptor.handleMessage(IssuedTokenInterceptorProvider.ja
> va:198)
>
> The corresponding code line in IssuedTokenInterceptorProvider reads like
> this:
>
> Vector results = (Vector)message.get(WSHandlerConstants.RECV_RESULTS);
> for (int i = 0; i < results.size(); i++) {
> WSHandlerResult rResult = (WSHandlerResult) results.get(i);
> [..]
>
> Shouldn't this check for results being null like this:
>
> Vector results = null;
> if ((results = (Vector)message
> .get(WSHandlerConstants.RECV_RESULTS)) == null) {
> throw new RuntimeException("No security results!");
> }
> for (int i = 0; i < results.size(); i++) {
> WSHandlerResult rResult = (WSHandlerResult) results.get(i);
>
> (maybe with something else than a RTE obviously)?
>
> Maybe I have done something wrong in the server configuration, but the
> execution never reaches my security callback to check the (even
> non-existent) token but fails right at retrieving the RECV_RESULTS key
> from the message context.
>
> Any opinions?
>
> Thanks,
> Michael
--
Daniel Kulp
[email protected]
http://dankulp.com/blog
