[
https://issues.apache.org/jira/browse/SLING-8711?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16935116#comment-16935116
]
Eric Norman edited comment on SLING-8711 at 9/21/19 6:29 PM:
-------------------------------------------------------------
[~cziegeler] Well, ok then. I guess the details are in a black box that you
can't share?
I was mostly interested in whether the login failures were from a real world
scenario that may happen in a production sling deployment. If there are
circumstances where a real end user login attempt may fail without any details
about who the user was, then I was curious if that was expected/normal or some
symptom of something going wrong elsewhere.
For example, I was consuming the login failed events to implement a failed
login throttling solution to mitigate brute force login attacks. And
obviously, if there is a use case where real login attempts can happen without
the failed login events knowing who the user was, then that solution is not
going to work. I can't block login attempts for the offending user if I don't
know who it was.
I guess I'll be forced to just take your word for it that your fix is correct.
was (Author: enorman):
[~cziegeler] Well, ok then. I guess the details are in a black box that you
can't share?
I was mostly interested in whether the login failures were from a real world
scenario that may happen in a production sling deployment. If there are
circumstances where a real end user login attempt may fail without any details
about who the user was, then I was curious if that was expected/normal or some
symptom of something going wrong elsewhere.
I guess I'll be forced to just take your word for it...
> NPE when auth failed event is sent
> ----------------------------------
>
> Key: SLING-8711
> URL: https://issues.apache.org/jira/browse/SLING-8711
> Project: Sling
> Issue Type: Bug
> Components: Authentication
> Affects Versions: Auth Core 1.4.4
> Reporter: Carsten Ziegeler
> Assignee: Carsten Ziegeler
> Priority: Blocker
> Fix For: Auth Core 1.4.6
>
>
> Some auth info might be null when the authentication failed which then
> results in an NPE when sending the event:
> java.lang.NullPointerException
> at java.util.Hashtable.put(Hashtable.java:460)
> at
> org.apache.sling.auth.core.impl.SlingAuthenticator.postLoginFailedEvent(SlingAuthenticator.java:1541)
> at
> org.apache.sling.auth.core.impl.SlingAuthenticator.getResolver(SlingAuthenticator.java:840)
> at
> org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:518)
> at
> org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:462)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
