Karl von Randow created CXF-6561: ------------------------------------ Summary: ResourceOwnerGrantHandler: ResourceOwnerLoginHandler can't return null or throw exception Key: CXF-6561 URL: https://issues.apache.org/jira/browse/CXF-6561 Project: CXF Issue Type: Bug Components: JAX-RS Security Affects Versions: 3.1.2 Reporter: Karl von Randow
ResourceOwnerGrantHandler calls a customisable ResourceOwnerLoginHandler instance, however the `createSubject(String, String)` method declares no exceptions, and a null return value is not handled. This can possibly result in the issuing of an access token if the DataProvider doesn't check for the null subject. ResourceOwnerGrantHandler.createAccessToken(...) appears to expect that the ResourceOwnerLoginHandler will throw an `Exception` (literally any Exception), however the method signature of the ResourceOwnerLoginHandler interface doesn't allow that. I will submit a pull request with a suggested fix. -- This message was sent by Atlassian JIRA (v6.3.4#6332)