Announcement Announcement Module
Collapse
No announcement yet.
The second request to protected resources causes NPE Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • The second request to protected resources causes NPE

    The following scenario cases NPE in OAuthUtil:
    1) Open a protected resource in browser
    2) OAuthConsumerContextFilter creates a request token and redirects the user to the service provider authorization page. Don't click "Allow/Deny access" buttons there;
    3) Open the same (or another) protected resource again in the browser. Note that the previous request token is not authroized yet and OAuthConsumerContextFilter thinks that the new request is a callback from service provider - so it tries to create an access token.


    I think the correct behavior is to redirect the user again to the service provider using the previously created request token (see attached patch).


    Full stacktrace:
    Code:
    java.lang.NullPointerException
    	at com.google.gdata.client.authn.oauth.OAuthUtil.normalizeParameters(OAuthUtil.java:163)
    	at com.google.gdata.client.authn.oauth.OAuthUtil.getSignatureBaseString(OAuthUtil.java:81)
    	at com.google.gdata.client.authn.oauth.TwoLeggedOAuthHelper.addCommonRequestParameters(TwoLeggedOAuthHelper.java:79)
    	at com.google.gdata.client.authn.oauth.OAuthHelper.getOAuthUrl(OAuthHelper.java:661)
    	at com.google.gdata.client.authn.oauth.OAuthHelper.getAccessToken(OAuthHelper.java:555)
    	at com.spreadsheet.oauth.consumer.GAEOAuthConsumerSupport.getAccessToken(GAEOAuthConsumerSupport.java:107)
    	at org.springframework.security.oauth.consumer.OAuthConsumerContextFilter.doFilter(OAuthConsumerContextFilter.java:161)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:109)
    	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:100)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:78)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    	at org.springframework.security.web.authentication.http://www.BasicAuthenticationFilter...ilter.java:177)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:149)
    	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
    	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
    	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
    	at com.google.appengine.api.blobstore.dev.ServeBlobFilter.doFilter(ServeBlobFilter.java:58)
    	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
    	at com.google.apphosting.utils.servlet.TransactionCleanupFilter.doFilter(TransactionCleanupFilter.java:43)
    	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
    	at com.google.appengine.tools.development.StaticFileFilter.doFilter(StaticFileFilter.java:122)
    	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
    	at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:388)
    	at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
    	at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
    	at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:765)
    	at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:418)
    	at com.google.apphosting.utils.jetty.DevAppEngineWebAppContext.handle(DevAppEngineWebAppContext.java:70)
    	at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
    	at com.google.appengine.tools.development.JettyContainerService$ApiProxyHandler.handle(JettyContainerService.java:349)
    	at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
    	at org.mortbay.jetty.Server.handle(Server.java:326)
    	at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542)
    	at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:923)
    	at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:547)
    	at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:212)
    	at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
    	at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:409)
    	at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)

  • #2
    Thanks for the report. Opened a JIRA issue:

    https://jira.springsource.org/browse/SECOAUTH-31

    Comment

    Working...
    X