[Geoserver-devel] [JIRA] (GEOS-10419) NullPointerException from GeoServerOAuthAuthenticationFilter

Tue, 15 Mar 2022 01:52:19 -0700 

Pascallike ( 
https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=70121%3Acff8ba66-2f8e-4402-85f7-30f8c6ca47fc
 ) *created* an issue

GeoServer ( 
https://osgeo-org.atlassian.net/browse/GEOS?atlOrigin=eyJpIjoiZWFlMzk2YWQwY2UwNDdkY2ExNjIzMDlkOTNhYjI2YWQiLCJwIjoiaiJ9
 ) / Bug ( 
https://osgeo-org.atlassian.net/browse/GEOS-10419?atlOrigin=eyJpIjoiZWFlMzk2YWQwY2UwNDdkY2ExNjIzMDlkOTNhYjI2YWQiLCJwIjoiaiJ9
 ) GEOS-10419 ( 
https://osgeo-org.atlassian.net/browse/GEOS-10419?atlOrigin=eyJpIjoiZWFlMzk2YWQwY2UwNDdkY2ExNjIzMDlkOTNhYjI2YWQiLCJwIjoiaiJ9
 ) NullPointerException from GeoServerOAuthAuthenticationFilter ( 
https://osgeo-org.atlassian.net/browse/GEOS-10419?atlOrigin=eyJpIjoiZWFlMzk2YWQwY2UwNDdkY2ExNjIzMDlkOTNhYjI2YWQiLCJwIjoiaiJ9
 )

Issue Type: Bug Affects Versions: 2.20-RC Assignee: Unassigned Components: 
OAuth2 Created: 15/Mar/22 9:51 AM Environment:

kartoza/geoserver with sec-oauth2-openid plugin

Priority: Low Reporter: Pascallike ( 
https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=70121%3Acff8ba66-2f8e-4402-85f7-30f8c6ca47fc
 )

I'm getting this exception from WMS getMap requests when I'm trying to access a 
public layer with an anonymous user:

java.lang.NullPointerException
org.geoserver.security.oauth2.GeoServerOAuthAuthenticationFilter.doFilter(GeoServerOAuthAuthenticationFilter.java:134)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:71)
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
org.geoserver.security.filter.GeoServerSecurityContextPersistenceFilter$1.doFilter(GeoServerSecurityContextPersistenceFilter.java:52)
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:75)
org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:92)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
org.geoserver.security.GeoServerSecurityFilterChainProxy.doFilter(GeoServerSecurityFilterChainProxy.java:142)
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
org.geoserver.filters.LoggingFilter.doFilter(LoggingFilter.java:102)
org.geoserver.filters.XFrameOptionsFilter.doFilter(XFrameOptionsFilter.java:77)
org.geoserver.filters.GZIPFilter.doFilter(GZIPFilter.java:48)
org.geoserver.filters.SessionDebugFilter.doFilter(SessionDebugFilter.java:49)
org.geoserver.filters.FlushSafeFilter.doFilter(FlushSafeFilter.java:42)
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)

This happens randomly, but quite frequently (about 1 out of 20 requests to the 
server). It never happens after login, so limited to anonymous users.

The exception starts from this line of code:

https://github.com/geoserver/geoserver/blob/main/src/community/security/oauth2-core/src/main/java/org/geoserver/security/oauth2/GeoServerOAuthAuthenticationFilter.java#L134

import javax.servlet.http.HttpServletRequest;
...
HttpServletRequest httpRequest = (HttpServletRequest) request;
...
httpRequest.getSession( false ).invalidate();  <--- NullPointerException
...

Testing locally I found that the exception is thrown by the 
*HttpSession.invalidate()* on a null object. So the 
HttpServletRequest.getSession(false) could be null. I'm not able to tell if the 
null session at this point is a problem, but considering that 
HttpServletRequest.getSession(false) could be null, I've added a check for null 
object on the session before running the *HttpSession.invalidate()* , that 
seems to fix the problem.

Please let me know if you think it might be a good idea to add this control to 
GeoServer or if you are aware of the problem. I can open a Pull Request to add 
the fix.

( 
https://osgeo-org.atlassian.net/browse/GEOS-10419#add-comment?atlOrigin=eyJpIjoiZWFlMzk2YWQwY2UwNDdkY2ExNjIzMDlkOTNhYjI2YWQiLCJwIjoiaiJ9
 ) Add Comment ( 
https://osgeo-org.atlassian.net/browse/GEOS-10419#add-comment?atlOrigin=eyJpIjoiZWFlMzk2YWQwY2UwNDdkY2ExNjIzMDlkOTNhYjI2YWQiLCJwIjoiaiJ9
 )

Get Jira notifications on your phone! Download the Jira Cloud app for Android ( 
https://play.google.com/store/apps/details?id=com.atlassian.android.jira.core&referrer=utm_source%3DNotificationLink%26utm_medium%3DEmail
 ) or iOS ( 
https://itunes.apple.com/app/apple-store/id1006972087?pt=696495&ct=EmailNotificationLink&mt=8
 ) This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100197- 
sha1:8522567 )
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel














    











					Reply via email to