https://bz.apache.org/bugzilla/show_bug.cgi?id=70050
Bug ID: 70050
Summary: NPE in org.apache.coyote.http2.Http2Parser during
HTTP2 Basic-Auth flow
Product: Tomcat 11
Version: 11.0.22
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: -------
Created attachment 40181
--> https://bz.apache.org/bugzilla/attachment.cgi?id=40181&action=edit
Log output during http basic auth flow
Hi,
since updating from 11.0.21 to 11.0.22 I'm experiencing a strange behavior in
some of my unit tests.
We use tomcat-embed-core and configure Http like follows
---
Connector connector = new Connector();
connector.setPort(8080);
connector.addUpgradeProtocol(new Http2Protocol());
connector.setSecure(false);
tomcat.getService().addConnector(connector);
//enable basic auth with SimpleRealm
---
The Test uses the java.net.http HttpClient with authenticator set and version
HTTP2.0.
So non-preemptive authentication. First request without Authorization Header
resulting in 401 and than retries with Authorization.
The client/user is expected to "pass" authentication and authorization (so
effectively as a "final" result status code 200 is expected)
With Tomcat 11.0.22 this test fails. With 11.0.21 it worked.
The client just receives an IOException EOF reached while reading (in case of
11.0.22)
Enabling debug output I saw following NPE which seems to relate to this change:
https://github.com/apache/tomcat/commit/f5567591240cdd3c087e37db49f2a48524ba8ef6#diff-30a0a7f67d009079f71383913f933b7f16932c75f2854af8dc3a8a1f54e0d4d7R671
---
Connection [0]
java.lang.NullPointerException: Cannot invoke
"org.apache.coyote.http2.HpackDecoder.clearHeaderEmitter()" because
"this.hpackDecoder" is null
at
org.apache.coyote.http2.Http2Parser.afterHeadersCompleteCleanUp(Http2Parser.java:673)
at
org.apache.coyote.http2.Http2Parser.readRstFrame(Http2Parser.java:311)
at
org.apache.coyote.http2.Http2AsyncParser$FrameCompletionHandler.completed(Http2AsyncParser.java:260)
at
org.apache.coyote.http2.Http2AsyncParser$FrameCompletionHandler.completed(Http2AsyncParser.java:167)
at
org.apache.tomcat.util.net.SocketWrapperBase$VectoredIOCompletionHandler.completed(SocketWrapperBase.java:1059)
at
org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper$NioOperationState.run(NioEndpoint.java:1719)
at
org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:946)
at
org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:480)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:57)
at java.base/java.lang.Thread.run(Thread.java:1474)
---
FYI: Basic-Auth seems to work in the following situations:
* In case HTTP1/1 is used by the client
* Without adding Http2Protocol() (falling back to HTTP1.1, too)
* preemtive authentication (Send Authorization Basic with every request)
* (Seems) to work with HTTPS connector (not sure if something other is
different as I did not setup TLS locally, yet)
I attached a more verbose log with org.apache.coyote.http2 on trace.
If it helps i can provide a simplified project reproducing the issue.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
