On Fri, 1 Jul 2022 17:31:06 GMT, Weijun Wang <[email protected]> wrote:
> Add null-checks in all `LoginModule` implementations. It's possible that an
> application calls `logout` after a login failure, where most internal
> variables for principals and credentials are null and removing a null from
> the `Subject`'s principals and credentials sets will trigger a
> `NullPointerException`.
src/jdk.security.auth/share/classes/com/sun/security/auth/module/JndiLoginModule.java
line 485:
> 483: if (supplementaryGroups != null) {
> 484: for (int i = 0; i < supplementaryGroups.size(); i++) {
> 485:
> subject.getPrincipals().remove(supplementaryGroups.get(i));
To be safest, I can check if `supplementaryGroups.get(i)` is null too. Same in
`NTLoginModule` and `UnixLoginModule`.
src/jdk.security.auth/share/classes/com/sun/security/auth/module/NTLoginModule.java
line 368:
> 366: }
> 367: if (groups != null) {
> 368: for (int i = 0; groups != null && i < groups.length; i++) {
Oops, `groups != null` is already checked here. Will revert.
-------------
PR: https://git.openjdk.org/jdk/pull/9348
