[ http://issues.apache.org/jira/browse/GERONIMO-852?page=all ] Aaron Mulder resolved GERONIMO-852: -----------------------------------
Fix Version: 1.0-M5 Resolution: Fixed Thanks! I wasn't able to replicate the stack trace (Linux SuSE 9.3), but it still seems wise to guard against it. Added a slightly more extensive patch that potentially allows a legitimately null password, and includes tests. > NullPointerException in during deploy > ------------------------------------- > > Key: GERONIMO-852 > URL: http://issues.apache.org/jira/browse/GERONIMO-852 > Project: Geronimo > Type: Bug > Components: security > Versions: 1.0-M5 > Reporter: Kevan Miller > Assignee: Aaron Mulder > Priority: Minor > Fix For: 1.0-M5 > Attachments: passwordNPE.patch > > While playing around with uri syntax for deploy commands, I ran across a NPE > during login processing: > java.lang.NullPointerException > at java.lang.String.<init>(String.java:166) > at > org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule.login(PropertiesFileLoginModule.java:142) > at > org.apache.geronimo.security.jaas.JaasLoginService.performServerLogin(JaasLoginService.java:240) > at > org.apache.geronimo.security.jaas.JaasLoginService$$FastClassByCGLIB$$1b5fde8c.invoke(<generated>) > at net.sf.cglib.reflect.FastMethod.invoke(FastMethod.java:53) > at > org.apache.geronimo.gbean.runtime.FastMethodInvoker.invoke(FastMethodInvoker.java:38) > at > org.apache.geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:118) > at > org.apache.geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:731) > at > org.apache.geronimo.gbean.runtime.RawInvoker.invoke(RawInvoker.java:57) > at > org.apache.geronimo.kernel.basic.RawOperationInvoker.invoke(RawOperationInvoker.java:36) > at > org.apache.geronimo.kernel.basic.ProxyMethodInterceptor.intercept(ProxyMethodInterceptor.java:94) > at > org.apache.geronimo.security.jaas.JaasLoginServiceMBean$$EnhancerByCGLIB$$5302521b.performServerLogin(<generated>) > at > org.apache.geronimo.security.jaas.JaasLoginCoordinator$ServerLoginModule.login(JaasLoginCoordinator.java:230) > at > org.apache.geronimo.security.jaas.LoginUtils.computeLogin(LoginUtils.java:34) > at > org.apache.geronimo.security.jaas.JaasLoginCoordinator.login(JaasLoginCoordinator.java:101) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:324) > at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675) > at > javax.security.auth.login.LoginContext.access$000(LoginContext.java:129) > at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610) > at java.security.AccessController.doPrivileged(Native Method) > at > javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607) > at javax.security.auth.login.LoginContext.login(LoginContext.java:534) > at > org.apache.geronimo.jmxremoting.Authenticator.authenticate(Authenticator.java:57) > at > javax.management.remote.rmi.RMIServerImpl$1.run(RMIServerImpl.java:141) > at java.security.AccessController.doPrivileged(Native Method) > at > javax.management.remote.rmi.RMIServerImpl.authenticate(RMIServerImpl.java:137) > at > javax.management.remote.rmi.RMIServerImpl.newClient(RMIServerImpl.java:91) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:324) > at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:261) > at sun.rmi.transport.Transport$1.run(Transport.java:148) > at java.security.AccessController.doPrivileged(Native Method) > at sun.rmi.transport.Transport.serviceCall(Transport.java:144) > at > sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:460) > at > sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:701) > at java.lang.Thread.run(Thread.java:534) > To reproduce, I started an out-of-the-box Geronimo server and attempted a > deploy using the following: > java -jar deployer.jar deploy <your-archive-of-choice> > When prompted for a userName, enter some name. When prompted for a password, > ctrl-c the deployment. You should see the NPE at the Server. > Problem is that PasswordCallback.getPassword() can return null. In that > case, something like "new String(callback.getPassword())" will cause an NPE > to be thrown from within the String constructor. The fix is to guard against > that case... Same thing could happen in SQLoginModule. I'll post a patch for > both, shortly... -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira