[JBoss-dev] [ jboss-Bugs-1014373 ] Incorrect principal used in lookup in getCachingPrincpal()

[SourceForge.net]

Bugs item #1014373, was opened at 2004-08-23 07:25
Message generated for change (Comment added) made by starksm
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=376685&aid=1014373&group_id=22866

Category: JBossSX
Group: v3.2
>Status: Closed
>Resolution: Fixed
Priority: 9
Submitted By: Johan Hammar (daemon23)
Assigned to: Scott M Stark (starksm)
>Summary: Incorrect principal used in lookup in getCachingPrincpal()

Initial Comment:
When the CallerPrincipal is not a descendant of 
SimplePrincipal and implements it's own hashCode() and 
equals() methods in a different way than SimplePrincipal, 
a NPE is thrown in 
JBossSecurityMgrRealm.getCachingPrincpal().
The reason to this is that TimedCachePolicy uses an 
internal HashMap where in which it uses the incoming 
Principal objects as keys and trusts their hashCode() 
and equals() implementations to be compatible with the 
implementations of SimplePrincipal. 
Nothing is stated about the requirements about the 
hashcode() and equals() implementation in the 
java.security.Principal interface documentation so it 
should not be trusted. 

Here is the stacktrace of the NPE

java.lang.NullPointerException
        at 
org.jboss.web.tomcat.security.JBossSecurityMgrRealm.ge
tCachingPrincpal(JBossSecurityMgrRealm.java:459)
        at 
org.jboss.web.tomcat.security.JBossSecurityMgrRealm.au
thenticate(JBossSecurityMgrRealm.java:286)
        at 
org.apache.catalina.authenticator.BasicAuthenticator.aut
henticate(BasicAuthenticator.java:129)
        at 
org.apache.catalina.authenticator.AuthenticatorBase.inv
oke(AuthenticatorBase.java:504)
        at 
org.apache.catalina.core.StandardValveContext.invokeNe
xt(StandardValveContext.java:102)
        at 
org.apache.catalina.core.StandardPipeline.invoke
(StandardPipeline.java:520)
        at 
org.apache.catalina.core.StandardHostValve.invoke
(StandardHostValve.java:137)
        at 
org.apache.catalina.core.StandardValveContext.invokeNe
xt(StandardValveContext.java:104)
        at 
org.apache.catalina.valves.ErrorReportValve.invoke
(ErrorReportValve.java:117)
        at 
org.apache.catalina.core.StandardValveContext.invokeNe
xt(StandardValveContext.java:102)
        at 
org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.in
voke(CachedConnectionValve.java:92)
        at 
org.apache.catalina.core.StandardValveContext.invokeNe
xt(StandardValveContext.java:102)
        at 
org.apache.catalina.core.StandardPipeline.invoke
(StandardPipeline.java:520)
        at 
org.apache.catalina.core.StandardEngineValve.invoke
(StandardEngineValve.java:109)
        at 
org.apache.catalina.core.StandardValveContext.invokeNe
xt(StandardValveContext.java:104)
        at 
org.apache.catalina.core.StandardPipeline.invoke
(StandardPipeline.java:520)
        at 
org.apache.catalina.core.ContainerBase.invoke
(ContainerBase.java:929)
        at 
org.apache.coyote.tomcat5.CoyoteAdapter.service
(CoyoteAdapter.java:160)
        at 
org.apache.coyote.http11.Http11Processor.process
(Http11Processor.java:799)
        at 
org.apache.coyote.http11.Http11Protocol$Http11Connec
tionHandler.processConnection(Http11Protocol.java:705)
        at 
org.apache.tomcat.util.net.TcpWorkerThread.runIt
(PoolTcpEndpoint.java:577)
        at 
org.apache.tomcat.util.threads.ThreadPool$ControlRunna
ble.run(ThreadPool.java:683)
        at java.lang.Thread.run(Unknown Source)


/Johan Hammar



----------------------------------------------------------------------

>Comment By: Scott M Stark (starksm)
Date: 2004-08-27 23:12

Message:
Logged In: YES 
user_id=175228

The principal used for authentication is now used to lookup
the associated roles.

----------------------------------------------------------------------

Comment By: Johan Hammar (daemon23)
Date: 2004-08-26 10:10

Message:
Logged In: YES 
user_id=811429

OK
I have attached an example of a custom principal in this
followup.

/Johan Hammar

----------------------------------------------------------------------

Comment By: Scott M Stark (starksm)
Date: 2004-08-26 08:48

Message:
Logged In: YES 
user_id=175228

So give me an example of the custom principal in question 

----------------------------------------------------------------------

Comment By: Johan Hammar (daemon23)
Date: 2004-08-26 08:14

Message:
Logged In: YES 
user_id=811429

The null-check is a good improvement. However in this 
particular case it will actually hide the root problem even 
more. Under the conditions I mentioned above a user with a 
set of assigned roles will now be successfully authenticated 
but the roles will be lost in the process of authentication. 
To clarify this I have attached a file containing three 
stacktraces, all including a stackframe of 
JBossSecurityMgrRealm.authenticate().
The line numbers are still from 3.2.6RC1. 

The first stacktrace shows how an instance of SimplePrincipal 
gets inserted as a key into the internal HashMap of 
TimedCachePolicy.

The second stacktrace shows how the same SimplePrincipal 
instance is used to lookup the actual CallerPrincipal instance. 
The CallerPrincipal is found and returned in 
JaasSecurityManager line 276. At this point the Principal 
reference in JBossSecurityMGRRealm.authenticate() is 
switched and now references the found CallerPrincipal 
instance.

The third StackTrace shows how 
JBossSecurityMGRRealm.getCachingPrincpal() tries to get the 
roles assigned to the user by sending the CallerPrincipal 
instance as argument to the RealmMapping.getUserRoles().
This call ends up in a lookup in the HashMap of 
TimedCachePolicy mentioned earlier. Since the 
hashCode/equals implementation of the CallerPrincipal yields 
different results than SimplePrincipal the lookup fails. 
Consequently the roles reference returned to 
JBossSecurityMGRRealm.getCachingPrincpal() is null.

/Johan Hammar
  

----------------------------------------------------------------------

Comment By: Scott M Stark (starksm)
Date: 2004-08-23 14:07

Message:
Logged In: YES 
user_id=175228

Its not clear this is due to the princpal equals/hashCode
implementation. There was an expectation that an
authenticated user has associated roles and if this was not
the case the NPE resulted. The NPE has been addressed.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=376685&aid=1014373&group_id=22866


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
JBoss-Development mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-development