This is an automated email from the ASF dual-hosted git repository.
jungm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomee.git
The following commit(s) were added to refs/heads/main by this push:
new 6c6a8059bb TOMEE-4592 - handle token refresh failure more gracefully
6c6a8059bb is described below
commit 6c6a8059bb05fb0d6eb478c9a593d877064db726
Author: Markus Jung <[email protected]>
AuthorDate: Fri Mar 20 15:34:59 2026 +0100
TOMEE-4592 - handle token refresh failure more gracefully
---
.../cdi/OpenIdAuthenticationMechanism.java | 10 +++++---
.../cdi/OpenIdAuthenticationMechanismTest.java | 28 ++++++++++++++++++++--
2 files changed, 33 insertions(+), 5 deletions(-)
diff --git
a/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/OpenIdAuthenticationMechanism.java
b/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/OpenIdAuthenticationMechanism.java
index 23b7c97ae9..8c1ae5b548 100644
---
a/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/OpenIdAuthenticationMechanism.java
+++
b/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/OpenIdAuthenticationMechanism.java
@@ -167,7 +167,11 @@ public class OpenIdAuthenticationMechanism implements
HttpAuthenticationMechanis
protected AuthenticationStatus refreshTokens(HttpServletRequest request,
HttpServletResponse response, HttpMessageContext httpMessageContext) {
try (Client client = ClientBuilder.newClient()) {
RefreshToken refreshToken = openIdContext.getRefreshToken()
- .orElseThrow(() -> new IllegalArgumentException("Cannot
refresh tokens, no refresh_token received"));
+ .orElse(null);
+
+ if (refreshToken == null) {
+ throw new IllegalStateException("Cannot refresh tokens, no
refresh_token received");
+ }
Form form = new Form()
.param(OpenIdConstant.CLIENT_ID, definition.clientId())
@@ -182,9 +186,9 @@ public class OpenIdAuthenticationMechanism implements
HttpAuthenticationMechanis
return handleTokenResponse(tokenResponse, httpMessageContext);
} catch (Exception e) {
+ LOGGER.warning("Token refresh failed, logging out the current
subject", e);
cleanSubject(request, response, httpMessageContext);
-
- throw e;
+ return AuthenticationStatus.SEND_FAILURE;
}
}
diff --git
a/tomee/tomee-security/src/test/java/org/apache/tomee/security/cdi/OpenIdAuthenticationMechanismTest.java
b/tomee/tomee-security/src/test/java/org/apache/tomee/security/cdi/OpenIdAuthenticationMechanismTest.java
index 00afb9a7cf..5f8b369aa5 100644
---
a/tomee/tomee-security/src/test/java/org/apache/tomee/security/cdi/OpenIdAuthenticationMechanismTest.java
+++
b/tomee/tomee-security/src/test/java/org/apache/tomee/security/cdi/OpenIdAuthenticationMechanismTest.java
@@ -31,6 +31,8 @@ import org.mockito.Mock;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.enterprise.inject.Vetoed;
import jakarta.inject.Inject;
+import jakarta.security.enterprise.AuthenticationStatus;
+import
jakarta.security.enterprise.authentication.mechanism.http.HttpMessageContext;
import
jakarta.security.enterprise.authentication.mechanism.http.OpenIdAuthenticationMechanismDefinition;
import
jakarta.security.enterprise.authentication.mechanism.http.openid.DisplayType;
import
jakarta.security.enterprise.authentication.mechanism.http.openid.PromptType;
@@ -40,11 +42,12 @@ import jakarta.servlet.http.HttpServletResponse;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertThrows;
import static org.junit.Assert.assertTrue;
+import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;
@Vetoed
@RunWith(ApplicationComposer.class)
-@Classes(cdi = true, value = {OpenIdAuthenticationMechanism.class,
TomEEOpenIdContext.class,
OpenIdAuthenticationMechanismTest.SimpleStorageHandler.class})
+@Classes(cdi = true, value =
{OpenIdAuthenticationMechanismTest.TestOpenIdAuthenticationMechanism.class,
TomEEOpenIdContext.class,
OpenIdAuthenticationMechanismTest.SimpleStorageHandler.class})
public class OpenIdAuthenticationMechanismTest {
@Inject
@@ -72,6 +75,8 @@ public class OpenIdAuthenticationMechanismTest {
when(definition.display()).thenReturn(null);
when(definition.prompt()).thenReturn(new PromptType[0]);
when(definition.extraParameters()).thenReturn(new String[0]);
+ when(definition.logout().notifyProvider()).thenReturn(false);
+ when(definition.logout().redirectURI()).thenReturn("");
}
@Test
@@ -140,6 +145,25 @@ public class OpenIdAuthenticationMechanismTest {
assertThrows(IllegalArgumentException.class, () ->
authenticationMechanism.buildAuthorizationUri(null, null));
}
+ @Test
+ public void refreshTokenFailureDoesNotThrow() {
+ HttpServletRequest request = mock(HttpServletRequest.class);
+ HttpServletResponse response = mock(HttpServletResponse.class);
+ HttpMessageContext messageContext = mock(HttpMessageContext.class,
Answers.RETURNS_DEEP_STUBS);
+ when(request.getRequestURL()).thenReturn(new
StringBuffer("https://example.com/app";));
+
+ assertEquals(AuthenticationStatus.SEND_FAILURE,
+ authenticationMechanism.refreshTokens(request, response,
messageContext));
+ }
+
+ @ApplicationScoped
+ public static class TestOpenIdAuthenticationMechanism extends
OpenIdAuthenticationMechanism {
+ @Override
+ public void cleanSubject(HttpServletRequest request,
HttpServletResponse response, HttpMessageContext httpMessageContext) {
+ // no-op for this focused failure-path test
+ }
+ }
+
@ApplicationScoped
protected static class SimpleStorageHandler extends OpenIdStorageHandler {
@@ -170,4 +194,4 @@ public class OpenIdAuthenticationMechanismTest {
}
}
-}
\ No newline at end of file
+}
