Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-6561

ResourceOwnerGrantHandler: ResourceOwnerLoginHandler can't return null or throw exception

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.1.2
    • Fix Version/s: 3.1.3, 3.0.7
    • Component/s: JAX-RS Security
    • Labels:
      None
    • Estimated Complexity:
      Unknown

      Description

      ResourceOwnerGrantHandler calls a customisable ResourceOwnerLoginHandler instance, however the `createSubject(String, String)` method declares no exceptions, and a null return value is not handled. This can possibly result in the issuing of an access token if the DataProvider doesn't check for the null subject.

      ResourceOwnerGrantHandler.createAccessToken(...) appears to expect that the ResourceOwnerLoginHandler will throw an `Exception` (literally any Exception), however the method signature of the ResourceOwnerLoginHandler interface doesn't allow that.

      I will submit a pull request with a suggested fix.

        Attachments

          Activity

            People

            • Assignee:
              sergey_beryozkin Sergey Beryozkin
              Reporter:
              karlvr Karl von Randow
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: