Possible bug in AwsVerifier in Restlet Framework

Question

While trying to get Amazon S3 authentication working for my RESTful web service, my testing flushed out a possible bug in the Verifier for S3 auth. If you specify an access key that does not exist in the server secrets, the AwsVerifier throws a NullPointerException which results in an HTTP 500 Internal Server Error. The problem begins on line 233 of AwsVerifier.java:

char[] userSecret = getLocalSecret(userId);

If the userId does not exist in the local secrets (i.e an access key that does not exist in the server secrets map) then there is no associated secret, so userSecret becomes null. When AwsVerifier calls getS3Signature() on line 235:

String sigToCompare = AwsUtils.getS3Signature(request, userSecret);

you get the NullPointerException. This seems like a bug to me...anyone agree/disagree?

Answer 1

I believe this is a bug. However, I found a way to work around it: just subclass AwsVerifier and override the verify() method. Make sure and copy the code from the superclass verify() into the subclass, but change it as follows:

public class NewAwsVerifier extends AwsVerifier {
    public NewAwsVerifier(LocalVerifier wrappedVerifier) {
        super(wrappedVerifier);
    }
    ...
    @Override
    public int verify(Request request, Response response) {
    ...
        char[] userSecret = getLocalSecret(userId);
        if (userSecret == null) {
            // If there is no userSecret for the given userId then the
            // request probably specified a user that doesn't exist
            // and using that userID in the getS3Signature call
            // will result in a NullPointerException, so we intercept it here
            return RESULT_INVALID;
        }
        char[] signature = getSecret(request, response);
        String sigToCompare = AwsUtils.getS3Signature(request, userSecret);
    ...
    }
}

Then make sure you use this new Verifier:

MapVerifier verifier = new MapVerifier();
NewAwsVerifier newVerifier = new NewAwsVerifier(verifier);

// Get passwords from a more secure source (only here for illustration)!
verifier.getLocalSecrets().put("accessKey", "secretKey".toCharArray());
auth.setVerifier(newVerifier);

Now if you specify an access key that doesn't exist in the server secrets, you will be denied access gracefully instead of receiving a HTTP 500 Internal Server Error.