SECOAUTH-349: add safe handling for access token collection finders

spring-attic · Oct 30, 2012 · 0d3ed66 · 0d3ed66
1 parent 2112c4e
commit 0d3ed66
Showing 1 changed file with 29 additions and 12 deletions.
diff --git a/...uth2/src/main/java/org/springframework/security/oauth2/provider/token/JdbcTokenStore.java b/...uth2/src/main/java/org/springframework/security/oauth2/provider/token/JdbcTokenStore.java
@@ -9,6 +9,7 @@
 import java.sql.Types;
 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.List;
 
 import javax.sql.DataSource;
 
@@ -269,43 +270,47 @@ public void removeAccessTokenUsingRefreshToken(String refreshToken) {
 	}
 
 	public Collection<OAuth2AccessToken> findTokensByClientId(String clientId) {
-		Collection<OAuth2AccessToken> accessTokens = new ArrayList<OAuth2AccessToken>();
+		List<OAuth2AccessToken> accessTokens = new ArrayList<OAuth2AccessToken>();
 
 		try {
-			accessTokens = jdbcTemplate.query(selectAccessTokensFromClientIdSql, new RowMapper<OAuth2AccessToken>() {
-				public OAuth2AccessToken mapRow(ResultSet rs, int rowNum) throws SQLException {
-					return deserializeAccessToken(rs.getBytes(2));
-				}
-			}, clientId);
+			accessTokens = jdbcTemplate.query(selectAccessTokensFromClientIdSql, new SafeAccessTokenRowMapper(), clientId);
 		}
 		catch (EmptyResultDataAccessException e) {
 			if (LOG.isInfoEnabled()) {
 				LOG.info("Failed to find access token for clientId " + clientId);
 			}
 		}
+		accessTokens = removeNulls(accessTokens);
 
 		return accessTokens;
 	}
 
 	public Collection<OAuth2AccessToken> findTokensByUserName(String userName) {
-		Collection<OAuth2AccessToken> accessTokens = new ArrayList<OAuth2AccessToken>();
+		List<OAuth2AccessToken> accessTokens = new ArrayList<OAuth2AccessToken>();
 
 		try {
-			accessTokens = jdbcTemplate.query(selectAccessTokensFromUserNameSql, new RowMapper<OAuth2AccessToken>() {
-				public OAuth2AccessToken mapRow(ResultSet rs, int rowNum) throws SQLException {
-					return deserializeAccessToken(rs.getBytes(2));
-				}
-			}, userName);
+			accessTokens = jdbcTemplate.query(selectAccessTokensFromUserNameSql, new SafeAccessTokenRowMapper(), userName);
 		}
 		catch (EmptyResultDataAccessException e) {
 			if (LOG.isInfoEnabled()) {
 				LOG.info("Failed to find access token for userName " + userName);
 			}
 		}
+		accessTokens = removeNulls(accessTokens);
 
 		return accessTokens;
 	}
 
+	private List<OAuth2AccessToken> removeNulls(List<OAuth2AccessToken> accessTokens) {
+		List<OAuth2AccessToken> tokens = new ArrayList<OAuth2AccessToken>();
+		for (OAuth2AccessToken token : accessTokens) {
+			if (token!=null) {
+				tokens.add(token);
+			}
+		}
+		return tokens;
+	}
+
 	protected String extractTokenKey(String value) {
 		if (value==null) {
 			return null;
@@ -327,6 +332,18 @@ protected String extractTokenKey(String value) {
 		}
 	}
 
+	private final class SafeAccessTokenRowMapper implements RowMapper<OAuth2AccessToken> {
+		public OAuth2AccessToken mapRow(ResultSet rs, int rowNum) throws SQLException {
+			try {
+				return deserializeAccessToken(rs.getBytes(2));
+			} catch (IllegalArgumentException e) {
+				String token = rs.getString(1);
+				jdbcTemplate.update(deleteAccessTokenSql, token);
+				return null;
+			}
+		}
+	}
+
 	protected byte[] serializeAccessToken(OAuth2AccessToken token) {
 		return SerializationUtils.serialize(token);
 	}