I believe this is a bug. However, I found a way to work around it: just subclass AwsVerifier and override the verify() method. Make sure and copy the code from the superclass verify() into the subclass, but change it as follows:
public class NewAwsVerifier extends AwsVerifier {
public NewAwsVerifier(LocalVerifier wrappedVerifier) {
super(wrappedVerifier);
}
...
@Override
public int verify(Request request, Response response) {
...
char[] userSecret = getLocalSecret(userId);
if (userSecret == null) {
// If there is no userSecret for the given userId then the
// request probably specified a user that doesn't exist
// and using that userID in the getS3Signature call
// will result in a NullPointerException, so we intercept it here
return RESULT_INVALID;
}
char[] signature = getSecret(request, response);
String sigToCompare = AwsUtils.getS3Signature(request, userSecret);
...
}
}
Then make sure you use this new Verifier:
MapVerifier verifier = new MapVerifier();
NewAwsVerifier newVerifier = new NewAwsVerifier(verifier);
// Get passwords from a more secure source (only here for illustration)!
verifier.getLocalSecrets().put("accessKey", "secretKey".toCharArray());
auth.setVerifier(newVerifier);
Now if you specify an access key that doesn't exist in the server secrets, you will be denied access gracefully instead of receiving a HTTP 500 Internal Server Error.