Github user mike-jumper commented on a diff in the pull request: https://github.com/apache/guacamole-client/pull/242#discussion_r165832875 --- Diff: extensions/guacamole-auth-radius/src/main/java/org/apache/guacamole/auth/radius/AuthenticationProviderService.java --- @@ -155,9 +157,10 @@ public AuthenticatedUser authenticateUser(Credentials credentials) // This is a response to a previous challenge, authenticate with that. else { try { + byte[] stateBytes = javax.xml.bind.DatatypeConverter.parseHexBinary(request.getParameter(RadiusStateField.PARAMETER_NAME)); --- End diff -- I'd like to also mention that this will likely throw a `NullPointerException` if the state field is not present in the request. At best, the behavior of [`parseHexBinary()`](https://docs.oracle.com/javase/7/docs/api/javax/xml/bind/DatatypeConverter.html#parseHexBinary(java.lang.String)) is not defined for the case where its sole parameter is `null`. The potential lack of the parameter in the request should probably be dealt with.
---