[ http://issues.apache.org/jira/browse/GERONIMO-646?page=comments#action_66426 ] Jeff Genender commented on GERONIMO-646: ----------------------------------------
For the JAASJettyRealm, I altered your patches slightly. I changed the isUserInRole to test if the user or role is null and return false if so. Tomcat handles it this way. Thanks for the heads up on this. The empty String for a role should be caught by the checkPermission() call right afterwards. Relative to the WebRoleRefPermission, the JavaDoc/spec makes no mention of an IllegalArgumentException that should be thrown. Although an IllegalArgumentException is a RuntimeException, so its not required to be documented as thrown...Sun is pretty good at describing when an IllegalArgumentException should be thrown. What I am getting at here is the WebRoleRefPermission is a Sun spec class and I would want to get adc and/or David Jencks' input on this before I would consider implementing this change. In the mean time, the above patch for the JAASJettyRealm should prevent this from getting called in any case, since a null role would never make it to the WebRoleRefPermission. > Servlet calling HttpServletRequest.isUserInRole(null) causes NPE using Jetty > container > -------------------------------------------------------------------------------------- > > Key: GERONIMO-646 > URL: http://issues.apache.org/jira/browse/GERONIMO-646 > Project: Geronimo > Type: Bug > Components: web > Versions: 1.0-M4 > Environment: All > Reporter: Tom McQueeney > Priority: Minor > Attachments: JAASJettyRealm-patch.txt, WebRoleRefPermission-patch.txt, > WebRoleRefPermissionTest-patch.txt > > The servlet isUserInRole call eventually gets delegated to > org.apache.geronimo.jetty.JAASJettyRealm.isUserInRole, which causes a NPE in > javax.security.jacc.WebRoleRefPermission.hashCode(). > JAASJettyRealm.isUserInRole creates a WebRoleRefPermission, passing it the > null role that it was passed, then delegates the role check to > java.security.AccessControlContext.checkPermission, passing it the > WebRoleRefPermission. > When the web role ref permission gets checked, eventually its hashcode method > is called, > which tries to compute the hash by getting the hashcode of the (null) role > name, > which throws the NPE. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
