[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[GitHub] rdebusscher closed pull request #1: fix NPE when No issuer for kid (no mapping and/or default issuer)

rdebusscher closed pull request #1: fix NPE when No issuer for kid (no mapping and/or default issuer)
URL: https://github.com/apache/geronimo-jwt-auth/pull/1

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git a/geronimo-jwt-auth-impl/src/main/java/org/apache/geronimo/microprofile/impl/jwtauth/jwt/JwtParser.java b/geronimo-jwt-auth-impl/src/main/java/org/apache/geronimo/microprofile/impl/jwtauth/jwt/JwtParser.java
index f32be4e..f9a9e08 100644
--- a/geronimo-jwt-auth-impl/src/main/java/org/apache/geronimo/microprofile/impl/jwtauth/jwt/JwtParser.java
+++ b/geronimo-jwt-auth-impl/src/main/java/org/apache/geronimo/microprofile/impl/jwtauth/jwt/JwtParser.java
@@ -86,7 +86,11 @@ public JsonWebToken parse(final String jwt) {
         final String alg = getAttribute(header, "alg", defaultAlg);
         final String kid = getAttribute(header, "kid", defaultKid);
-        if (!kidMapper.loadIssuer(kid).equals(payload.getString(Claims.iss.name()))) {
+        String issuer = kidMapper.loadIssuer(kid);
+        if (issuer == null) {
+            throw new JwtException("No issuer for kid (no mapping and/or default issuer)", HttpURLConnection.HTTP_UNAUTHORIZED);
+        }
+        if (!issuer.equals(payload.getString(Claims.iss.name()))) {
             throw new JwtException("Invalid issuer", HttpURLConnection.HTTP_UNAUTHORIZED);
         signatureValidator.verifySignature(alg, kidMapper.loadKey(kid), jwt.substring(0, secondDot), jwt.substring(secondDot + 1));


This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:

With regards,
Apache Git Services