Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-7264

NPE on OAuth RO/CC flows using JPA

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 3.1.10
    • 3.1.11, 3.2.0
    • None
    • None
    • Unknown

    Description

      NPE on RO flow
      I'm using the org.apache.cxf.rs.security.oauth2.grants.code.JPACMTCodeDataProvider oauthProvider.

      Whenever I call a RO flow, i.e. like :
      curl -v -X POST http://localhost:9080/oidc/oauth2/token -d "grant_type=password&username=alice&password=alice&scope=openid" -u PMEvtbd94ca6oQ:_gSNdEM4ELeZ57h8FuVQpQ

      I get :

      idp_1  | javax.persistence.PersistenceException: org.hibernate.WrongClassException: Object with id: null was not of the specified subclass: org.apache.cxf.rs.security.oauth2.common.UserSubject (class of the given object did not match class of persistent copy)
idp_1  | 	at org.hibernate.ejb.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1387)
idp_1  | 	at org.hibernate.ejb.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1310)
idp_1  | 	at org.hibernate.ejb.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1316)
idp_1  | 	at org.hibernate.ejb.AbstractEntityManagerImpl.merge(AbstractEntityManagerImpl.java:898)
idp_1  | 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
idp_1  | 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
idp_1  | 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
idp_1  | 	at java.lang.reflect.Method.invoke(Method.java:498)
idp_1  | 	at org.springframework.orm.jpa.SharedEntityManagerCreator$SharedEntityManagerInvocationHandler.invoke(SharedEntityManagerCreator.java:298)
idp_1  | 	at com.sun.proxy.$Proxy73.merge(Unknown Source)
idp_1  | 	at org.apache.cxf.rs.security.oauth2.provider.JPAOAuthDataProvider$12.execute(JPAOAuthDataProvider.java:270)
idp_1  | 	at org.apache.cxf.rs.security.oauth2.provider.JPAOAuthDataProvider$12.execute(JPAOAuthDataProvider.java:251)
idp_1  | 	at org.apache.cxf.rs.security.oauth2.provider.JPAOAuthDataProvider.executeInTransaction(JPAOAuthDataProvider.java:88)
idp_1  | 	at org.apache.cxf.rs.security.oauth2.provider.JPAOAuthDataProvider.saveAccessToken(JPAOAuthDataProvider.java:251)
idp_1  | 	at org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthDataProvider.createAccessToken(AbstractOAuthDataProvider.java:64)
idp_1  | 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
idp_1  | 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
idp_1  | 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
idp_1  | 	at java.lang.reflect.Method.invoke(Method.java:498)
idp_1  | 	at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:333)
idp_1  | 	at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190)
idp_1  | 	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
idp_1  | 	at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
idp_1  | 	at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:282)
idp_1  | 	at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
idp_1  | 	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
idp_1  | 	at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:92)
idp_1  | 	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
idp_1  | 	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213)
idp_1  | 	at com.sun.proxy.$Proxy74.createAccessToken(Unknown Source)

      This comes from LOC :
      sub1 = (UserSubject)em.merge(serverToken.getSubject());

      It returns serverToken.getSubject() and the subject in db are of different types and merge fails :
      serverToken.getSubject()
      class org.apache.cxf.rs.security.oauth2.common.UserSubject
      em.find(UserSubject.class, serverToken.getSubject().getId())
      class org.apache.cxf.rs.security.oidc.idp.OidcUserSubject

      NPE on CC flow
      Whenever I use a Client Credentials flow, i.e. like :
      curl -u PMEvtbd94ca6oQ:_gSNdEM4ELeZ57h8FuVQpQ http://localhost:9080/oidc/oauth2/token -d 'grant_type=client_credentials'
      I get a NPE in JPAOAuthDataProvider#saveAccessToken, because serverToken.getSubject() is null when using CC flow.

      Attachments

        Activity

          People

            sergey_beryozkin Sergey Beryozkin
            gonzalad Adrian Gonzalez
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: