This is an automated email from the ASF dual-hosted git repository. coheigea pushed a commit to branch coheigea/oauth-introspection in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 7960b29d288eba34c24a718646a2438f9c73e85d Author: Colm O hEigeartaigh <[email protected]> AuthorDate: Tue May 19 10:16:44 2026 +0100 Properly throw exception in introspection service --- .../oauth2/services/TokenIntrospectionService.java | 4 +-- .../oauth2/grants/IntrospectionServiceTest.java | 38 ++++++++++++++++++++++ ...introspection-server-jcache-jwt-non-persist.xml | 18 ++++++++++ .../grants/introspection-server-jcache-jwt.xml | 20 +++++++++++- .../oauth2/grants/introspection-server-jcache.xml | 10 +++++- .../oauth2/grants/introspection-server-jpa.xml | 8 +++++ 6 files changed, 94 insertions(+), 4 deletions(-) diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java index b06279829d4..b4ade1ca109 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java @@ -113,11 +113,11 @@ public class TokenIntrospectionService { SecurityContext sc = mc.getSecurityContext(); if (!sc.isSecure() && blockUnsecureRequests) { LOG.warning("Unsecure HTTP, Transport Layer Security is recommended"); - ExceptionUtils.toNotAuthorizedException(null, null); + throw ExceptionUtils.toNotAuthorizedException(null, null); } if (sc.getUserPrincipal() == null && blockUnauthorizedRequests) { LOG.warning("Authenticated Principal is not available"); - ExceptionUtils.toNotAuthorizedException(null, null); + throw ExceptionUtils.toNotAuthorizedException(null, null); } } diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/IntrospectionServiceTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/IntrospectionServiceTest.java index c4e052b8e39..86794b118fe 100644 --- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/IntrospectionServiceTest.java +++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/IntrospectionServiceTest.java @@ -228,6 +228,44 @@ public class IntrospectionServiceTest extends AbstractBusClientServerTestBase { assertFalse(tokenIntrospection.isActive()); } + @org.junit.Test + public void testTokenIntrospectionUnauthorizedClient() throws Exception { + URL busFile = IntrospectionServiceTest.class.getResource("client.xml"); + + String address = "https://localhost:"; + port + "/services/"; + WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "alice", "security", busFile.toString()); + // Save the Cookie for the second request... + WebClient.getConfig(client).getRequestContext().put( + org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + + // Get Authorization Code + String code = OAuth2TestUtils.getAuthorizationCode(client); + assertNotNull(code); + + // Now get the access token + client = WebClient.create(address, OAuth2TestUtils.setupProviders(), + "consumer-id", "this-is-a-secret", busFile.toString()); + // Save the Cookie for the second request... + WebClient.getConfig(client).getRequestContext().put( + org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE); + + ClientAccessToken accessToken = OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); + assertNotNull(accessToken.getTokenKey()); + + // Here we're calling a separate introspection service with no validators, just to confirm that + // it rejects the request by default + address = "https://localhost:"; + port + "/introspection/"; + client = WebClient.create(address, OAuth2TestUtils.setupProviders(), busFile.toString()); + client.accept("application/json").type("application/x-www-form-urlencoded"); + Form form = new Form(); + form.param("token", accessToken.getTokenKey()); + client.path("introspect/"); + Response response = client.post(form); + + assertEquals(Response.Status.UNAUTHORIZED.getStatusCode(), response.getStatus()); + } + @org.junit.Test public void testRefreshedToken() throws Exception { URL busFile = AuthorizationGrantTest.class.getResource("client.xml"); diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/introspection-server-jcache-jwt-non-persist.xml b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/introspection-server-jcache-jwt-non-persist.xml index af867192464..6b8b8e5c20c 100644 --- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/introspection-server-jcache-jwt-non-persist.xml +++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/introspection-server-jcache-jwt-non-persist.xml @@ -132,6 +132,24 @@ under the License. <entry key="rs.security.signature.algorithm" value="RS256" /> </jaxrs:properties> </jaxrs:server> + + <jaxrs:server + depends-on="tls-config" + address="https://localhost:${testutil.ports.jaxrs-oauth2-introspection-jcache-jwt-non-persist}/introspection";> + <jaxrs:serviceBeans> + <ref bean="tokenIntrospectionService"/> + </jaxrs:serviceBeans> + <jaxrs:properties> + <entry key="security.signature.properties" + value="org/apache/cxf/systest/jaxrs/security/bob.properties"/> + <entry key="rs.security.keystore.type" value="jks" /> + <entry key="rs.security.keystore.alias" value="alice"/> + <entry key="rs.security.keystore.password" value="password"/> + <entry key="rs.security.key.password" value="password"/> + <entry key="rs.security.keystore.file" value="keys/alice.jks" /> + <entry key="rs.security.signature.algorithm" value="RS256" /> + </jaxrs:properties> + </jaxrs:server> </beans> diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/introspection-server-jcache-jwt.xml b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/introspection-server-jcache-jwt.xml index f595b77a96c..81a1154158e 100644 --- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/introspection-server-jcache-jwt.xml +++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/introspection-server-jcache-jwt.xml @@ -102,7 +102,7 @@ under the License. <bean id="tokenIntrospectionService" class="org.apache.cxf.rs.security.oauth2.services.TokenIntrospectionService"> <property name="dataProvider" ref="oauthProvider"/> </bean> - + <bean id="callbackHandler" class="org.apache.cxf.systest.jaxrs.security.oauth2.common.CallbackHandlerImpl"/> <bean id="basicAuthFilter" class="org.apache.cxf.systest.jaxrs.security.oauth2.common.WSS4JBasicAuthFilter"> <property name="callbackHandler" ref="callbackHandler"/> @@ -130,6 +130,24 @@ under the License. <entry key="rs.security.signature.algorithm" value="RS256" /> </jaxrs:properties> </jaxrs:server> + + <jaxrs:server + depends-on="tls-config" + address="https://localhost:${testutil.ports.jaxrs-oauth2-introspection-jcache-jwt}/introspection";> + <jaxrs:serviceBeans> + <ref bean="tokenIntrospectionService"/> + </jaxrs:serviceBeans> + <jaxrs:properties> + <entry key="security.signature.properties" + value="org/apache/cxf/systest/jaxrs/security/bob.properties"/> + <entry key="rs.security.keystore.type" value="jks" /> + <entry key="rs.security.keystore.alias" value="alice"/> + <entry key="rs.security.keystore.password" value="password"/> + <entry key="rs.security.key.password" value="password"/> + <entry key="rs.security.keystore.file" value="keys/alice.jks" /> + <entry key="rs.security.signature.algorithm" value="RS256" /> + </jaxrs:properties> + </jaxrs:server> </beans> diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/introspection-server-jcache.xml b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/introspection-server-jcache.xml index fa5cca49caa..25add22e717 100644 --- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/introspection-server-jcache.xml +++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/introspection-server-jcache.xml @@ -101,7 +101,7 @@ under the License. <bean id="tokenIntrospectionService" class="org.apache.cxf.rs.security.oauth2.services.TokenIntrospectionService"> <property name="dataProvider" ref="oauthProvider"/> </bean> - + <bean id="callbackHandler" class="org.apache.cxf.systest.jaxrs.security.oauth2.common.CallbackHandlerImpl"/> <bean id="basicAuthFilter" class="org.apache.cxf.systest.jaxrs.security.oauth2.common.WSS4JBasicAuthFilter"> <property name="callbackHandler" ref="callbackHandler"/> @@ -119,6 +119,14 @@ under the License. <ref bean="basicAuthFilter"/> </jaxrs:providers> </jaxrs:server> + + <jaxrs:server + depends-on="tls-config" + address="https://localhost:${testutil.ports.jaxrs-oauth2-introspection-jcache}/introspection";> + <jaxrs:serviceBeans> + <ref bean="tokenIntrospectionService"/> + </jaxrs:serviceBeans> + </jaxrs:server> </beans> diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/introspection-server-jpa.xml b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/introspection-server-jpa.xml index f3474e4e03a..b219c4f3025 100644 --- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/introspection-server-jpa.xml +++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/introspection-server-jpa.xml @@ -132,6 +132,14 @@ under the License. <ref bean="basicAuthFilter"/> </jaxrs:providers> </jaxrs:server> + + <jaxrs:server + depends-on="tls-config" + address="https://localhost:${testutil.ports.jaxrs-oauth2-introspection-jpa}/introspection";> + <jaxrs:serviceBeans> + <ref bean="tokenIntrospectionService"/> + </jaxrs:serviceBeans> + </jaxrs:server> </beans>
