Re: JNDIRealm bug

Fri, 14 Nov 2014 12:50:33 -0800 

Jess,

https://issues.apache.org/bugzilla/show_bug.cgi?id=57208

On 11/14/14 2:25 PM, Jess Holle wrote:
> I just moved from Tomcat 7.0.56 to 8.0.15.
> 
> I tried out form-based authentication using CombinedRealm of 2 JNDIRealms.
> 
> I get:
> 
> java.lang.NullPointerException
>     org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1286)
>     org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1236)
>     org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1177)
>     org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1052)
>     
> org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:157)
> 
>     
> org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:272)
> 
>     
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:452)
> 
>     
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
> 
>     
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:537)
> 
>     
> org.apache.coyote.ajp.AbstractAjpProcessor.process(AbstractAjpProcessor.java:831)
> 
>     
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:658)
> 
>     
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:277)
> 
>     
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> 
>     
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> 
>     
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> 
>     java.lang.Thread.run(Thread.java:745)
> 
> This tracks directly to the following code added between these two
> releases:
> 
>         if (userPassword == null && credentials != null) {
>             // The password is available. Insert it since it may be
> required for
>             // role searches.
>             return new User(user.getUserName(), user.getDN(), credentials,
>                     user.getRoles(), user.getUserRoleId());
>         }
> 
> The new User(...) line is the bad one.  Earlier in the method there was
> a search for a user:
> 
>         if (userPatternFormatArray != null && curUserPattern >= 0) {
>             user = getUserByPattern(context, username, credentials,
> attrIds, curUserPattern);
>         } else {
>             user = getUserBySearch(context, username, attrIds);
>         }
> 
> but there's no null check in between these two bodies of code, so this
> is an obvious source of NPE's.
> 
> I'll patch this in my own Tomcat, but I wanted to notify the community so:
> 
> 1. I don't have to maintain this patch long term and
> 2. The Tomcat community can review the correctness/sanity of this code
>    change and decide whether the correct fix is simply adding a null
>    check or something larger.
> 
> -- 
> Jess Holle
> 
>

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to