fix(jans-auth-server): corrected npe in jarm

#728
JanssenProject · Jan 28, 2022 · 5cae544 · 5cae544
1 parent 80725f7
commit 5cae544
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 22 deletions.
diff --git a/...r/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizeRestWebServiceImpl.java b/...r/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizeRestWebServiceImpl.java
@@ -66,6 +66,7 @@
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.lang.ArrayUtils;
 import org.apache.commons.lang.StringUtils;
+import org.jetbrains.annotations.Nullable;
 import org.json.JSONObject;
 import org.slf4j.Logger;
 
@@ -86,7 +87,6 @@
 import java.util.*;
 import java.util.Map.Entry;
 import java.util.function.Function;
-import io.jans.as.model.util.Base64Util;
 
 import static io.jans.as.model.util.StringUtils.implode;
 import static org.apache.commons.lang3.BooleanUtils.isTrue;
@@ -403,14 +403,13 @@ private Response requestAuthorization(
                     if (responseMode == ResponseMode.JWT) {
                         Jwt jwt = Jwt.parseSilently(request);
                         fillRedirectUriResponseforJARM(redirectUriResponse, jwt, client);
-                        state = jwt.getClaims().getClaimAsString("state"); // state is needed by the
-                                                                           // craeteInvalidJwtRequestExceptionWithJarm
-                                                                           // to pass with error
-                        authorizeRestWebServiceValidator.createInvalidJwtRequestExceptionAsJwtMode(redirectUriResponse,
-                                "Invalid JWT authorization request", state, httpRequest);
-                    } else {
-                        throw e;
+                        if (appConfiguration.isFapi()) {
+                            authorizeRestWebServiceValidator.throwInvalidJwtRequestExceptionAsJwtMode(redirectUriResponse,
+                                    "Invalid JWT authorization request", jwt.getClaims().getClaimAsString("state"), httpRequest);
+                        }
                     }
+
+                    throw e;
                 } catch (Exception e) {
                     log.error("Invalid JWT authorization request. Message : " + e.getMessage(), e);
                     throw authorizeRestWebServiceValidator.createInvalidJwtRequestException(redirectUriResponse, "Invalid JWT authorization request");
@@ -780,14 +779,23 @@ private Response requestAuthorization(
         applicationAuditLogger.sendMessage(oAuth2AuditLog);
         return builder.build();
     }
-
+
+    @Nullable
     private ResponseMode extractResponseMode(String request) {
-        JwtClaims jwtClaims = Jwt.parseSilently(request).getClaims();
+        final Jwt jwt = Jwt.parseSilently(request);
+        if (jwt == null) {
+            return null;
+        }
+        JwtClaims jwtClaims = jwt.getClaims();
         return ResponseMode.getByValue(jwtClaims.getClaimAsString("response_mode"));
     }
 
     private void fillRedirectUriResponseforJARM(RedirectUriResponse redirectUriResponse, Jwt jwt, Client client) {
         try {
+            if (jwt == null) {
+                return;
+            }
+
             JwtClaims jwtClaims = jwt.getClaims();
             String tempRedirectUri = jwtClaims.getClaimAsString("redirect_uri");
             if (tempRedirectUri != null) {

diff --git a/...ver/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizeRestWebServiceValidator.java b/...ver/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizeRestWebServiceValidator.java
@@ -38,7 +38,11 @@
 import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
-import java.util.*;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.GregorianCalendar;
+import java.util.List;
+import java.util.TimeZone;
 
 import static io.jans.as.model.ciba.BackchannelAuthenticationErrorResponseType.INVALID_REQUEST;
 import static io.jans.as.model.crypto.signature.SignatureAlgorithm.NONE;
@@ -324,17 +328,14 @@ public String validateRedirectUri(@NotNull Client client, @Nullable String redir
                 .build());
     }
 
-	public void createInvalidJwtRequestExceptionAsJwtMode(RedirectUriResponse redirectUriResponse, String reason,
-			String state, HttpServletRequest httpRequest) {
-		if (appConfiguration.isFapi()) {
-			log.debug(reason); // in FAPI case log reason but don't send it since it's `reason` is not known
-			log.debug("Invalid JWT authorization request.");
-			redirectUriResponse.getRedirectUri().parseQueryString(errorResponseFactory
-					.getErrorAsQueryString(AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT, state));
-			throw new WebApplicationException(
-					RedirectUtil.getRedirectResponseBuilder(redirectUriResponse.getRedirectUri(), httpRequest).build());
-		}
-	}
+    public void throwInvalidJwtRequestExceptionAsJwtMode(RedirectUriResponse redirectUriResponse, String reason, String state, HttpServletRequest httpRequest) {
+        log.debug(reason); // in FAPI case log reason but don't send it since it's `reason` is not known
+        log.debug("Invalid JWT authorization request.");
+        redirectUriResponse.getRedirectUri().parseQueryString(errorResponseFactory
+                .getErrorAsQueryString(AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT, state));
+        throw new WebApplicationException(
+                RedirectUtil.getRedirectResponseBuilder(redirectUriResponse.getRedirectUri(), httpRequest).build());
+    }
 
     public WebApplicationException createInvalidJwtRequestException(RedirectUriResponse redirectUriResponse, String reason) {
         if (appConfiguration.isFapi()) {