borisbsu
Dec 6th, 2010, 06:23 AM
The following scenario cases NPE in OAuthUtil:
1) Open a protected resource in browser
2) OAuthConsumerContextFilter creates a request token and redirects the user to the service provider authorization page. Don't click "Allow/Deny access" buttons there;
3) Open the same (or another) protected resource again in the browser. Note that the previous request token is not authroized yet and OAuthConsumerContextFilter thinks that the new request is a callback from service provider - so it tries to create an access token.
I think the correct behavior is to redirect the user again to the service provider using the previously created request token (see attached patch).
Full stacktrace:
java.lang.NullPointerException
at com.google.gdata.client.authn.oauth.OAuthUtil.norm alizeParameters(OAuthUtil.java:163)
at com.google.gdata.client.authn.oauth.OAuthUtil.getS ignatureBaseString(OAuthUtil.java:81)
at com.google.gdata.client.authn.oauth.TwoLeggedOAuth Helper.addCommonRequestParameters(TwoLeggedOAuthHe lper.java:79)
at com.google.gdata.client.authn.oauth.OAuthHelper.ge tOAuthUrl(OAuthHelper.java:661)
at com.google.gdata.client.authn.oauth.OAuthHelper.ge tAccessToken(OAuthHelper.java:555)
at com.spreadsheet.oauth.consumer.GAEOAuthConsumerSup port.getAccessToken(GAEOAuthConsumerSupport.java:1 07)
at org.springframework.security.oauth.consumer.OAuthC onsumerContextFilter.doFilter(OAuthConsumerContext Filter.java:161)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 355)
at org.springframework.security.web.access.intercept. FilterSecurityInterceptor.invoke(FilterSecurityInt erceptor.java:109)
at org.springframework.security.web.access.intercept. FilterSecurityInterceptor.doFilter(FilterSecurityI nterceptor.java:83)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 355)
at org.springframework.security.web.access.ExceptionT ranslationFilter.doFilter(ExceptionTranslationFilt er.java:97)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 355)
at org.springframework.security.web.session.SessionMa nagementFilter.doFilter(SessionManagementFilter.ja va:100)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 355)
at org.springframework.security.web.authentication.An onymousAuthenticationFilter.doFilter(AnonymousAuth enticationFilter.java:78)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 355)
at org.springframework.security.web.servletapi.Securi tyContextHolderAwareRequestFilter.doFilter(Securit yContextHolderAwareRequestFilter.java:54)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 355)
at org.springframework.security.web.savedrequest.Requ estCacheAwareFilter.doFilter(RequestCacheAwareFilt er.java:35)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 355)
at org.springframework.security.web.authentication.ww w.BasicAuthenticationFilter.doFilter(BasicAuthenti cationFilter.java:177)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 355)
at org.springframework.security.web.authentication.Ab stractAuthenticationProcessingFilter.doFilter(Abst ractAuthenticationProcessingFilter.java:187)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 355)
at org.springframework.security.web.authentication.lo gout.LogoutFilter.doFilter(LogoutFilter.java:105)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 355)
at org.springframework.security.web.context.SecurityC ontextPersistenceFilter.doFilter(SecurityContextPe rsistenceFilter.java:79)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 355)
at org.springframework.security.web.FilterChainProxy. doFilter(FilterChainProxy.java:149)
at org.springframework.web.filter.DelegatingFilterPro xy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterPro xy.doFilter(DelegatingFilterProxy.java:167)
at org.mortbay.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1157)
at com.google.appengine.api.blobstore.dev.ServeBlobFi lter.doFilter(ServeBlobFilter.java:58)
at org.mortbay.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1157)
at com.google.apphosting.utils.servlet.TransactionCle anupFilter.doFilter(TransactionCleanupFilter.java: 43)
at org.mortbay.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1157)
at com.google.appengine.tools.development.StaticFileF ilter.doFilter(StaticFileFilter.java:122)
at org.mortbay.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1157)
at org.mortbay.jetty.servlet.ServletHandler.handle(Se rvletHandler.java:388)
at org.mortbay.jetty.security.SecurityHandler.handle( SecurityHandler.java:216)
at org.mortbay.jetty.servlet.SessionHandler.handle(Se ssionHandler.java:182)
at org.mortbay.jetty.handler.ContextHandler.handle(Co ntextHandler.java:765)
at org.mortbay.jetty.webapp.WebAppContext.handle(WebA ppContext.java:418)
at com.google.apphosting.utils.jetty.DevAppEngineWebA ppContext.handle(DevAppEngineWebAppContext.java:70 )
at org.mortbay.jetty.handler.HandlerWrapper.handle(Ha ndlerWrapper.java:152)
at com.google.appengine.tools.development.JettyContai nerService$ApiProxyHandler.handle(JettyContainerSe rvice.java:349)
at org.mortbay.jetty.handler.HandlerWrapper.handle(Ha ndlerWrapper.java:152)
at org.mortbay.jetty.Server.handle(Server.java:326)
at org.mortbay.jetty.HttpConnection.handleRequest(Htt pConnection.java:542)
at org.mortbay.jetty.HttpConnection$RequestHandler.he aderComplete(HttpConnection.java:923)
at org.mortbay.jetty.HttpParser.parseNext(HttpParser. java:547)
at org.mortbay.jetty.HttpParser.parseAvailable(HttpPa rser.java:212)
at org.mortbay.jetty.HttpConnection.handle(HttpConnec tion.java:404)
at org.mortbay.io.nio.SelectChannelEndPoint.run(Selec tChannelEndPoint.java:409)
at org.mortbay.thread.QueuedThreadPool$PoolThread.run (QueuedThreadPool.java:582)
1) Open a protected resource in browser
2) OAuthConsumerContextFilter creates a request token and redirects the user to the service provider authorization page. Don't click "Allow/Deny access" buttons there;
3) Open the same (or another) protected resource again in the browser. Note that the previous request token is not authroized yet and OAuthConsumerContextFilter thinks that the new request is a callback from service provider - so it tries to create an access token.
I think the correct behavior is to redirect the user again to the service provider using the previously created request token (see attached patch).
Full stacktrace:
java.lang.NullPointerException
at com.google.gdata.client.authn.oauth.OAuthUtil.norm alizeParameters(OAuthUtil.java:163)
at com.google.gdata.client.authn.oauth.OAuthUtil.getS ignatureBaseString(OAuthUtil.java:81)
at com.google.gdata.client.authn.oauth.TwoLeggedOAuth Helper.addCommonRequestParameters(TwoLeggedOAuthHe lper.java:79)
at com.google.gdata.client.authn.oauth.OAuthHelper.ge tOAuthUrl(OAuthHelper.java:661)
at com.google.gdata.client.authn.oauth.OAuthHelper.ge tAccessToken(OAuthHelper.java:555)
at com.spreadsheet.oauth.consumer.GAEOAuthConsumerSup port.getAccessToken(GAEOAuthConsumerSupport.java:1 07)
at org.springframework.security.oauth.consumer.OAuthC onsumerContextFilter.doFilter(OAuthConsumerContext Filter.java:161)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 355)
at org.springframework.security.web.access.intercept. FilterSecurityInterceptor.invoke(FilterSecurityInt erceptor.java:109)
at org.springframework.security.web.access.intercept. FilterSecurityInterceptor.doFilter(FilterSecurityI nterceptor.java:83)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 355)
at org.springframework.security.web.access.ExceptionT ranslationFilter.doFilter(ExceptionTranslationFilt er.java:97)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 355)
at org.springframework.security.web.session.SessionMa nagementFilter.doFilter(SessionManagementFilter.ja va:100)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 355)
at org.springframework.security.web.authentication.An onymousAuthenticationFilter.doFilter(AnonymousAuth enticationFilter.java:78)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 355)
at org.springframework.security.web.servletapi.Securi tyContextHolderAwareRequestFilter.doFilter(Securit yContextHolderAwareRequestFilter.java:54)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 355)
at org.springframework.security.web.savedrequest.Requ estCacheAwareFilter.doFilter(RequestCacheAwareFilt er.java:35)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 355)
at org.springframework.security.web.authentication.ww w.BasicAuthenticationFilter.doFilter(BasicAuthenti cationFilter.java:177)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 355)
at org.springframework.security.web.authentication.Ab stractAuthenticationProcessingFilter.doFilter(Abst ractAuthenticationProcessingFilter.java:187)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 355)
at org.springframework.security.web.authentication.lo gout.LogoutFilter.doFilter(LogoutFilter.java:105)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 355)
at org.springframework.security.web.context.SecurityC ontextPersistenceFilter.doFilter(SecurityContextPe rsistenceFilter.java:79)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 355)
at org.springframework.security.web.FilterChainProxy. doFilter(FilterChainProxy.java:149)
at org.springframework.web.filter.DelegatingFilterPro xy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterPro xy.doFilter(DelegatingFilterProxy.java:167)
at org.mortbay.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1157)
at com.google.appengine.api.blobstore.dev.ServeBlobFi lter.doFilter(ServeBlobFilter.java:58)
at org.mortbay.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1157)
at com.google.apphosting.utils.servlet.TransactionCle anupFilter.doFilter(TransactionCleanupFilter.java: 43)
at org.mortbay.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1157)
at com.google.appengine.tools.development.StaticFileF ilter.doFilter(StaticFileFilter.java:122)
at org.mortbay.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1157)
at org.mortbay.jetty.servlet.ServletHandler.handle(Se rvletHandler.java:388)
at org.mortbay.jetty.security.SecurityHandler.handle( SecurityHandler.java:216)
at org.mortbay.jetty.servlet.SessionHandler.handle(Se ssionHandler.java:182)
at org.mortbay.jetty.handler.ContextHandler.handle(Co ntextHandler.java:765)
at org.mortbay.jetty.webapp.WebAppContext.handle(WebA ppContext.java:418)
at com.google.apphosting.utils.jetty.DevAppEngineWebA ppContext.handle(DevAppEngineWebAppContext.java:70 )
at org.mortbay.jetty.handler.HandlerWrapper.handle(Ha ndlerWrapper.java:152)
at com.google.appengine.tools.development.JettyContai nerService$ApiProxyHandler.handle(JettyContainerSe rvice.java:349)
at org.mortbay.jetty.handler.HandlerWrapper.handle(Ha ndlerWrapper.java:152)
at org.mortbay.jetty.Server.handle(Server.java:326)
at org.mortbay.jetty.HttpConnection.handleRequest(Htt pConnection.java:542)
at org.mortbay.jetty.HttpConnection$RequestHandler.he aderComplete(HttpConnection.java:923)
at org.mortbay.jetty.HttpParser.parseNext(HttpParser. java:547)
at org.mortbay.jetty.HttpParser.parseAvailable(HttpPa rser.java:212)
at org.mortbay.jetty.HttpConnection.handle(HttpConnec tion.java:404)
at org.mortbay.io.nio.SelectChannelEndPoint.run(Selec tChannelEndPoint.java:409)
at org.mortbay.thread.QueuedThreadPool$PoolThread.run (QueuedThreadPool.java:582)