[jira] Commented: (GERONIMO-646) Servlet calling HttpServletRequest.isUserInRole(null) causes NPE using Jetty container
[ http://issues.apache.org/jira/browse/GERONIMO-646?page=comments#action_12455911 ] Vamsavardhana Reddy commented on GERONIMO-646: -- As of rev 482955 in branches\1.2 JAASJettyRealm.java public boolean isUserInRole(Principal user, String role) { return internalJAASJettyRealm.isUserInRole(user, role); } InternalJAASJettyRealm.java public boolean isUserInRole(Principal user, String role) { if (user == null || role == null) { return false; } ... } JAASJettyRealm seems to have been fixed. Do we need to fix WebRoleRefPermission too? Servlet calling HttpServletRequest.isUserInRole(null) causes NPE using Jetty container -- Key: GERONIMO-646 URL: http://issues.apache.org/jira/browse/GERONIMO-646 Project: Geronimo Issue Type: Bug Components: web Affects Versions: 1.0-M4 Environment: All Reporter: Tom McQueeney Assigned To: Alan Cabrera Priority: Minor Fix For: 1.2 Attachments: JAASJettyRealm-patch.txt, WebRoleRefPermission-patch.txt, WebRoleRefPermissionTest-patch.txt The servlet isUserInRole call eventually gets delegated to org.apache.geronimo.jetty.JAASJettyRealm.isUserInRole, which causes a NPE in javax.security.jacc.WebRoleRefPermission.hashCode(). JAASJettyRealm.isUserInRole creates a WebRoleRefPermission, passing it the null role that it was passed, then delegates the role check to java.security.AccessControlContext.checkPermission, passing it the WebRoleRefPermission. When the web role ref permission gets checked, eventually its hashcode method is called, which tries to compute the hash by getting the hashcode of the (null) role name, which throws the NPE. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-646) Servlet calling HttpServletRequest.isUserInRole(null) causes NPE using Jetty container
[ http://issues.apache.org/jira/browse/GERONIMO-646?page=comments#action_12449846 ] Matt Hogstrom commented on GERONIMO-646: Jeff...is this still an issue? Servlet calling HttpServletRequest.isUserInRole(null) causes NPE using Jetty container -- Key: GERONIMO-646 URL: http://issues.apache.org/jira/browse/GERONIMO-646 Project: Geronimo Issue Type: Bug Components: web Affects Versions: 1.0-M4 Environment: All Reporter: Tom McQueeney Assigned To: Alan Cabrera Priority: Minor Fix For: 1.2 Attachments: JAASJettyRealm-patch.txt, WebRoleRefPermission-patch.txt, WebRoleRefPermissionTest-patch.txt The servlet isUserInRole call eventually gets delegated to org.apache.geronimo.jetty.JAASJettyRealm.isUserInRole, which causes a NPE in javax.security.jacc.WebRoleRefPermission.hashCode(). JAASJettyRealm.isUserInRole creates a WebRoleRefPermission, passing it the null role that it was passed, then delegates the role check to java.security.AccessControlContext.checkPermission, passing it the WebRoleRefPermission. When the web role ref permission gets checked, eventually its hashcode method is called, which tries to compute the hash by getting the hashcode of the (null) role name, which throws the NPE. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (GERONIMO-646) Servlet calling HttpServletRequest.isUserInRole(null) causes NPE using Jetty container
[ http://issues.apache.org/jira/browse/GERONIMO-646?page=comments#action_66426 ] Jeff Genender commented on GERONIMO-646: For the JAASJettyRealm, I altered your patches slightly. I changed the isUserInRole to test if the user or role is null and return false if so. Tomcat handles it this way. Thanks for the heads up on this. The empty String for a role should be caught by the checkPermission() call right afterwards. Relative to the WebRoleRefPermission, the JavaDoc/spec makes no mention of an IllegalArgumentException that should be thrown. Although an IllegalArgumentException is a RuntimeException, so its not required to be documented as thrown...Sun is pretty good at describing when an IllegalArgumentException should be thrown. What I am getting at here is the WebRoleRefPermission is a Sun spec class and I would want to get adc and/or David Jencks' input on this before I would consider implementing this change. In the mean time, the above patch for the JAASJettyRealm should prevent this from getting called in any case, since a null role would never make it to the WebRoleRefPermission. Servlet calling HttpServletRequest.isUserInRole(null) causes NPE using Jetty container -- Key: GERONIMO-646 URL: http://issues.apache.org/jira/browse/GERONIMO-646 Project: Geronimo Type: Bug Components: web Versions: 1.0-M4 Environment: All Reporter: Tom McQueeney Priority: Minor Attachments: JAASJettyRealm-patch.txt, WebRoleRefPermission-patch.txt, WebRoleRefPermissionTest-patch.txt The servlet isUserInRole call eventually gets delegated to org.apache.geronimo.jetty.JAASJettyRealm.isUserInRole, which causes a NPE in javax.security.jacc.WebRoleRefPermission.hashCode(). JAASJettyRealm.isUserInRole creates a WebRoleRefPermission, passing it the null role that it was passed, then delegates the role check to java.security.AccessControlContext.checkPermission, passing it the WebRoleRefPermission. When the web role ref permission gets checked, eventually its hashcode method is called, which tries to compute the hash by getting the hashcode of the (null) role name, which throws the NPE. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira