[
https://issues.apache.org/jira/browse/CXF-5092?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
vdveer updated CXF-5092:
------------------------
Description:
When accessing the RequestTokenService of the cxf-rt-rs-security-oauth
framework, consumer key and secret will be used to validate the signature of
the sent message. When signature fails (ie. wrong clientsecret), an exception
is thrown and catched, but since the actual requesttoken is null at that time,
the exception is not thrown any further and the requesttoken will be generated
afterwards and passed to the connected client even when the signature
verification failed. See snippet of the OAuthUtils class.
[2.7.5 - lines 107-114]
try {
validator.validateMessage(oAuthMessage, accessor);
} catch (Exception ex) {
if (token != null) {
provider.removeToken(token);
throw ex;
}
}
If I'm correct, a possible solution will be to move the throw exception
statement out of the if statement so that in case of catched exception it's
always thrown further.
This is a minor bug, since in the next oauth step the signature verification
will fail and since the token will not be null in this case, the exception is
thrown the oauth flow will end unsuccesful.
was:
When accessing the RequestTokenService of the cxf-rt-rs-security-oauth
framework, consumer key and secret will be used to validate the signature of
the sent message. When signature fails (ie. wrong clientsecret), an exception
is thrown and catched, but since the actual requesttoken is null at that time,
the exception is not thrown any further and the requesttoken will be generated
afterwards and passed to the connected client even when the signature
verification failed. See snippet.
try {
validator.validateMessage(oAuthMessage, accessor);
} catch (Exception ex) {
if (token != null) {
provider.removeToken(token);
throw ex;
}
}
If I'm correct, a possible solution will be to move the throw exception
statement out of the if statement so that in case of catched exception it's
always thrown further.
This is a minor bug, since in the next oauth step the signature verification
will fail and since the token will not be null in this case, the exception is
thrown the oauth flow will end unsuccesful.
> RequestTokenService signature verification bug [OAuthUtils]
> -----------------------------------------------------------
>
> Key: CXF-5092
> URL: https://issues.apache.org/jira/browse/CXF-5092
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.7.5
> Reporter: vdveer
> Priority: Minor
> Labels: patch
> Original Estimate: 0.5h
> Remaining Estimate: 0.5h
>
> When accessing the RequestTokenService of the cxf-rt-rs-security-oauth
> framework, consumer key and secret will be used to validate the signature of
> the sent message. When signature fails (ie. wrong clientsecret), an exception
> is thrown and catched, but since the actual requesttoken is null at that
> time, the exception is not thrown any further and the requesttoken will be
> generated afterwards and passed to the connected client even when the
> signature verification failed. See snippet of the OAuthUtils class.
> [2.7.5 - lines 107-114]
> try {
> validator.validateMessage(oAuthMessage, accessor);
> } catch (Exception ex) {
> if (token != null) {
> provider.removeToken(token);
> throw ex;
> }
> }
> If I'm correct, a possible solution will be to move the throw exception
> statement out of the if statement so that in case of catched exception it's
> always thrown further.
> This is a minor bug, since in the next oauth step the signature verification
> will fail and since the token will not be null in this case, the exception is
> thrown the oauth flow will end unsuccesful.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
