(cxf) branch main updated: Properly throw exception in introspection service (#3121)

Tue, 19 May 2026 06:10:53 -0700 

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/cxf.git


The following commit(s) were added to refs/heads/main by this push:
     new ddd6223a5a5 Properly throw exception in introspection service (#3121)
ddd6223a5a5 is described below

commit ddd6223a5a57915109522cdaaccef5c745a749b4
Author: Colm O hEigeartaigh <[email protected]>
AuthorDate: Tue May 19 14:10:37 2026 +0100

    Properly throw exception in introspection service (#3121)
---
 .../oauth2/services/TokenIntrospectionService.java |  4 +--
 .../oauth2/grants/IntrospectionServiceTest.java    | 38 ++++++++++++++++++++++
 ...introspection-server-jcache-jwt-non-persist.xml | 18 ++++++++++
 .../grants/introspection-server-jcache-jwt.xml     | 20 +++++++++++-
 .../oauth2/grants/introspection-server-jcache.xml  | 10 +++++-
 .../oauth2/grants/introspection-server-jpa.xml     |  8 +++++
 6 files changed, 94 insertions(+), 4 deletions(-)

diff --git 
a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java
 
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java
index b06279829d4..b4ade1ca109 100644
--- 
a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java
+++ 
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java
@@ -113,11 +113,11 @@ public class TokenIntrospectionService {
         SecurityContext sc = mc.getSecurityContext();
         if (!sc.isSecure() && blockUnsecureRequests) {
             LOG.warning("Unsecure HTTP, Transport Layer Security is 
recommended");
-            ExceptionUtils.toNotAuthorizedException(null,  null);
+            throw ExceptionUtils.toNotAuthorizedException(null,  null);
         }
         if (sc.getUserPrincipal() == null && blockUnauthorizedRequests) {
             LOG.warning("Authenticated Principal is not available");
-            ExceptionUtils.toNotAuthorizedException(null, null);
+            throw ExceptionUtils.toNotAuthorizedException(null, null);
         }
 
     }
diff --git 
a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/IntrospectionServiceTest.java
 
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/IntrospectionServiceTest.java
index c4e052b8e39..86794b118fe 100644
--- 
a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/IntrospectionServiceTest.java
+++ 
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/IntrospectionServiceTest.java
@@ -228,6 +228,44 @@ public class IntrospectionServiceTest extends 
AbstractBusClientServerTestBase {
         assertFalse(tokenIntrospection.isActive());
     }
 
+    @org.junit.Test
+    public void testTokenIntrospectionUnauthorizedClient() throws Exception {
+        URL busFile = IntrospectionServiceTest.class.getResource("client.xml");
+
+        String address = "https://localhost:"; + port + "/services/";
+        WebClient client = WebClient.create(address, 
OAuth2TestUtils.setupProviders(),
+                                            "alice", "security", 
busFile.toString());
+        // Save the Cookie for the second request...
+        WebClient.getConfig(client).getRequestContext().put(
+            org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE);
+
+        // Get Authorization Code
+        String code = OAuth2TestUtils.getAuthorizationCode(client);
+        assertNotNull(code);
+
+        // Now get the access token
+        client = WebClient.create(address, OAuth2TestUtils.setupProviders(),
+                                  "consumer-id", "this-is-a-secret", 
busFile.toString());
+        // Save the Cookie for the second request...
+        WebClient.getConfig(client).getRequestContext().put(
+            org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE);
+
+        ClientAccessToken accessToken = 
OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code);
+        assertNotNull(accessToken.getTokenKey());
+
+        // Here we're calling a separate introspection service with no 
validators, just to confirm that
+        // it rejects the request by default
+        address = "https://localhost:"; + port + "/introspection/";
+        client = WebClient.create(address, OAuth2TestUtils.setupProviders(), 
busFile.toString());
+        
client.accept("application/json").type("application/x-www-form-urlencoded");
+        Form form = new Form();
+        form.param("token", accessToken.getTokenKey());
+        client.path("introspect/");
+        Response response = client.post(form);
+
+        assertEquals(Response.Status.UNAUTHORIZED.getStatusCode(), 
response.getStatus());
+    }
+
     @org.junit.Test
     public void testRefreshedToken() throws Exception {
         URL busFile = AuthorizationGrantTest.class.getResource("client.xml");
diff --git 
a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/introspection-server-jcache-jwt-non-persist.xml
 
b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/introspection-server-jcache-jwt-non-persist.xml
index af867192464..6b8b8e5c20c 100644
--- 
a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/introspection-server-jcache-jwt-non-persist.xml
+++ 
b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/introspection-server-jcache-jwt-non-persist.xml
@@ -132,6 +132,24 @@ under the License.
            <entry key="rs.security.signature.algorithm" value="RS256" />
        </jaxrs:properties>
    </jaxrs:server>
+
+   <jaxrs:server
+       depends-on="tls-config"
+       
address="https://localhost:${testutil.ports.jaxrs-oauth2-introspection-jcache-jwt-non-persist}/introspection";>
+       <jaxrs:serviceBeans>
+           <ref bean="tokenIntrospectionService"/>
+       </jaxrs:serviceBeans>
+       <jaxrs:properties>
+           <entry key="security.signature.properties"
+                  
value="org/apache/cxf/systest/jaxrs/security/bob.properties"/>
+           <entry key="rs.security.keystore.type" value="jks" />
+           <entry key="rs.security.keystore.alias" value="alice"/>
+           <entry key="rs.security.keystore.password" value="password"/>
+           <entry key="rs.security.key.password" value="password"/>
+           <entry key="rs.security.keystore.file" value="keys/alice.jks" />
+           <entry key="rs.security.signature.algorithm" value="RS256" />
+       </jaxrs:properties>
+   </jaxrs:server>
    
 
 </beans>
diff --git 
a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/introspection-server-jcache-jwt.xml
 
b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/introspection-server-jcache-jwt.xml
index f595b77a96c..81a1154158e 100644
--- 
a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/introspection-server-jcache-jwt.xml
+++ 
b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/introspection-server-jcache-jwt.xml
@@ -102,7 +102,7 @@ under the License.
    <bean id="tokenIntrospectionService" 
class="org.apache.cxf.rs.security.oauth2.services.TokenIntrospectionService">
        <property name="dataProvider" ref="oauthProvider"/>
    </bean>
-   
+
    <bean id="callbackHandler" 
class="org.apache.cxf.systest.jaxrs.security.oauth2.common.CallbackHandlerImpl"/>
    <bean id="basicAuthFilter" 
class="org.apache.cxf.systest.jaxrs.security.oauth2.common.WSS4JBasicAuthFilter">
        <property name="callbackHandler" ref="callbackHandler"/>
@@ -130,6 +130,24 @@ under the License.
            <entry key="rs.security.signature.algorithm" value="RS256" />
        </jaxrs:properties>
    </jaxrs:server>
+
+   <jaxrs:server
+       depends-on="tls-config"
+       
address="https://localhost:${testutil.ports.jaxrs-oauth2-introspection-jcache-jwt}/introspection";>
+       <jaxrs:serviceBeans>
+           <ref bean="tokenIntrospectionService"/>
+       </jaxrs:serviceBeans>
+       <jaxrs:properties>
+           <entry key="security.signature.properties"
+                  
value="org/apache/cxf/systest/jaxrs/security/bob.properties"/>
+           <entry key="rs.security.keystore.type" value="jks" />
+           <entry key="rs.security.keystore.alias" value="alice"/>
+           <entry key="rs.security.keystore.password" value="password"/>
+           <entry key="rs.security.key.password" value="password"/>
+           <entry key="rs.security.keystore.file" value="keys/alice.jks" />
+           <entry key="rs.security.signature.algorithm" value="RS256" />
+       </jaxrs:properties>
+   </jaxrs:server>
    
 
 </beans>
diff --git 
a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/introspection-server-jcache.xml
 
b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/introspection-server-jcache.xml
index fa5cca49caa..25add22e717 100644
--- 
a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/introspection-server-jcache.xml
+++ 
b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/introspection-server-jcache.xml
@@ -101,7 +101,7 @@ under the License.
    <bean id="tokenIntrospectionService" 
class="org.apache.cxf.rs.security.oauth2.services.TokenIntrospectionService">
        <property name="dataProvider" ref="oauthProvider"/>
    </bean>
-   
+
    <bean id="callbackHandler" 
class="org.apache.cxf.systest.jaxrs.security.oauth2.common.CallbackHandlerImpl"/>
    <bean id="basicAuthFilter" 
class="org.apache.cxf.systest.jaxrs.security.oauth2.common.WSS4JBasicAuthFilter">
        <property name="callbackHandler" ref="callbackHandler"/>
@@ -119,6 +119,14 @@ under the License.
            <ref bean="basicAuthFilter"/>
        </jaxrs:providers>
    </jaxrs:server>
+
+   <jaxrs:server
+       depends-on="tls-config"
+       
address="https://localhost:${testutil.ports.jaxrs-oauth2-introspection-jcache}/introspection";>
+       <jaxrs:serviceBeans>
+           <ref bean="tokenIntrospectionService"/>
+       </jaxrs:serviceBeans>
+   </jaxrs:server>
    
 
 </beans>
diff --git 
a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/introspection-server-jpa.xml
 
b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/introspection-server-jpa.xml
index f3474e4e03a..b219c4f3025 100644
--- 
a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/introspection-server-jpa.xml
+++ 
b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/oauth2/grants/introspection-server-jpa.xml
@@ -132,6 +132,14 @@ under the License.
            <ref bean="basicAuthFilter"/>
        </jaxrs:providers>
    </jaxrs:server>
+
+   <jaxrs:server
+       depends-on="tls-config"
+       
address="https://localhost:${testutil.ports.jaxrs-oauth2-introspection-jpa}/introspection";>
+       <jaxrs:serviceBeans>
+           <ref bean="tokenIntrospectionService"/>
+       </jaxrs:serviceBeans>
+   </jaxrs:server>
    
 
 </beans>

Reply via email to