JNDIRealm bug

Jess Holle Fri, 14 Nov 2014 11:28:04 -0800

I just moved from Tomcat 7.0.56 to 8.0.15.

I tried out form-based authentication using CombinedRealm of 2 JNDIRealms.


I get:

java.lang.NullPointerException
        org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1286)
        org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1236)
        org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1177)
        org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1052)
        
org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:157)
        
org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:272)
        
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:452)
        
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
        
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:537)
        
org.apache.coyote.ajp.AbstractAjpProcessor.process(AbstractAjpProcessor.java:831)
        
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:658)
        
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:277)
        
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        java.lang.Thread.run(Thread.java:745)

This tracks directly to the following code added between these two releases:

        if (userPassword == null && credentials != null) {
            // The password is available. Insert it since it may be required for
            // role searches.
            return new User(user.getUserName(), user.getDN(), credentials,
                    user.getRoles(), user.getUserRoleId());
        }

The new User(...) line is the bad one. Earlier in the method there wasa search for a user:


        if (userPatternFormatArray != null && curUserPattern >= 0) {
            user = getUserByPattern(context, username, credentials, attrIds, 
curUserPattern);
        } else {
            user = getUserBySearch(context, username, attrIds);
        }

but there's no null check in between these two bodies of code, so thisis an obvious source of NPE's.


I'll patch this in my own Tomcat, but I wanted to notify the community so:

1. I don't have to maintain this patch long term and
2. The Tomcat community can review the correctness/sanity of this code
   change and decide whether the correct fix is simply adding a null
   check or something larger.

--
Jess Holle

JNDIRealm bug

Reply via email to