Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
2.6
-
Novice
Description
If we build a request Authorization header using a renewed token, a NullPointerException can raise (at server tier) when trying to validate it:
java.lang.NullPointerException
at org.apache.cxf.rs.security.oauth2.common.AccessTokenValidation.<init>(AccessTokenValidation.java:53)
at org.apache.cxf.rs.security.oauth2.services.AbstractAccessTokenValidator.getAccessTokenValidation(AbstractAccessTokenValidator.java:117)
AbstractAccessTokenValidator: if there are no registered handlers to process the token, the code will use the injected dataprovider to get the corresponding token instance, but this returned object can be null (for example if the token has been renewed and the dataprovider has removed all its information), therefore AccessTokenValidation constructor will throw a NullPointerException
try
{ localAccessToken = dataProvider.getAccessToken(authSchemeData); accessTokenV = new AccessTokenValidation(localAccessToken); }catch (OAuthServiceException ex)
{ AuthorizationUtils.throwAuthorizationFailure( Collections.singleton(authScheme)); }So it would be useful to check localAccessToken value before passing it to AccessTokenValidation constructor, for example:
try {
localAccessToken = dataProvider.getAccessToken(authSchemeData);
if (localAccessToken == null)
{ AuthorizationUtils.throwAuthorizationFailure(supportedSchemes); } accessTokenV = new AccessTokenValidation(localAccessToken);
} catch (OAuthServiceException ex) {
AuthorizationUtils.throwAuthorizationFailure(
Collections.singleton(authScheme));
}