You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Jordi Torrente (JIRA)" <ji...@apache.org> on 2012/05/15 17:57:44 UTC
[jira] [Created] (CXF-4318) OAuthRequestFilter generates an empty
WWW-Authenticate header
Jordi Torrente created CXF-4318:
-----------------------------------
Summary: OAuthRequestFilter generates an empty WWW-Authenticate header
Key: CXF-4318
URL: https://issues.apache.org/jira/browse/CXF-4318
Project: CXF
Issue Type: Bug
Components: JAX-RS Security
Affects Versions: 2.6
Reporter: Jordi Torrente
When using OAuthRequestFilter to protect a resource if we don't set any member for its "tokenHandlers" list, a request without an "Authorization" header will generate a response like:
Response-Code: 401
Content-Type: text/xml
Headers: {WWW-Authenticate=[], Date=[Tue, 15 May 2012 15:27:43 GMT], Content-Length=[0]}
And when trying to process it at the client layer a "java.lang.IllegalArgumentException" will be thrown:
URL uri = new URL("http://SomeFilteredResource");
HttpURLConnection conn = (HttpURLConnection)uri.openConnection();
int code = conn.getResponseCode();
Receives:
java.lang.RuntimeException: java.lang.IllegalArgumentException: invalid start or end
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1137)
at sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:2338)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:388)
I suppose the reason could be the empty "WWW-Authenticate" header's value, so the method AuthorizationUtils.throwAuthorizationFailure() should be fixed to avoid this situation
Regards
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (CXF-4318) OAuthRequestFilter generates an empty
WWW-Authenticate header
Posted by "Sergey Beryozkin (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-4318?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sergey Beryozkin resolved CXF-4318.
-----------------------------------
Resolution: Fixed
Fix Version/s: 2.6.1
Assignee: Sergey Beryozkin
only 401 is returned when no challenges are available, see
http://svn.apache.org/viewvc?rev=1338879&view=rev
> OAuthRequestFilter generates an empty WWW-Authenticate header
> -------------------------------------------------------------
>
> Key: CXF-4318
> URL: https://issues.apache.org/jira/browse/CXF-4318
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.6
> Reporter: Jordi Torrente
> Assignee: Sergey Beryozkin
> Labels: oauth2
> Fix For: 2.6.1
>
>
> When using OAuthRequestFilter to protect a resource if we don't set any member for its "tokenHandlers" list, a request without an "Authorization" header will generate a response like:
> Response-Code: 401
> Content-Type: text/xml
> Headers: {WWW-Authenticate=[], Date=[Tue, 15 May 2012 15:27:43 GMT], Content-Length=[0]}
> And when trying to process it at the client layer a "java.lang.IllegalArgumentException" will be thrown:
> URL uri = new URL("http://SomeFilteredResource");
> HttpURLConnection conn = (HttpURLConnection)uri.openConnection();
> int code = conn.getResponseCode();
> Receives:
> java.lang.RuntimeException: java.lang.IllegalArgumentException: invalid start or end
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1137)
> at sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:2338)
> at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:388)
>
> I suppose the reason could be the empty "WWW-Authenticate" header's value, so the method AuthorizationUtils.throwAuthorizationFailure() should be fixed to avoid this situation
> Regards
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira