Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-6558

DefaultEncryptingOAuthDataProvider.getAccessToken throws SecurityException on invalid accessToken format

          Details

          • Type: Bug
          • Status: Closed
          • Priority: Minor
          • Resolution: Fixed
          • Affects Version/s: 3.1.2
          • Fix Version/s: 3.1.3, 3.0.7
          • Component/s: JAX-RS Security
          • Labels:
            None
          • Estimated Complexity:
            Unknown

            Description

            The `DefaultEncryptingOAuthDataProvider.getAccessToken` method calls `ModelEncryptionSupport.decryptAccessToken` which throws a SecurityException if the input doesn't match they crypto algorithm's desired input. This results in a server error.

            I suggest that this method should catch the SecurityException and instead throw an OAuthServiceException, as specified by the signature of `getAccessToken`.

            e.g. `throw new OAuthServiceException(OAuthConstants.ACCESS_DENIED, e);`

            This would enable invalid access tokens to be rejected cleanly back to the client. I am happy to provide a patch for this issue.

              Attachments

                Activity

                  People

                  • Assignee:
                    sergey_beryozkin Sergey Beryozkin
                    Reporter:
                    karlvr Karl von Randow
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    2 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: