Bugs item #1014373, was opened at 2004-08-23 16:25
Message generated for change (Comment added) made by daemon23
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=376685&aid=1014373&group_id=22866
Category: JBossSX
Group: v3.2
>Status: Open
>Resolution: None
>Priority: 9
Submitted By: Johan Hammar (daemon23)
Assigned to: Scott M Stark (starksm)
Summary: NPE in JBossSecurityMgrRealm.getCachingPrincpal()
Initial Comment:
When the CallerPrincipal is not a descendant of
SimplePrincipal and implements it's own hashCode() and
equals() methods in a different way than SimplePrincipal,
a NPE is thrown in
JBossSecurityMgrRealm.getCachingPrincpal().
The reason to this is that TimedCachePolicy uses an
internal HashMap where in which it uses the incoming
Principal objects as keys and trusts their hashCode()
and equals() implementations to be compatible with the
implementations of SimplePrincipal.
Nothing is stated about the requirements about the
hashcode() and equals() implementation in the
java.security.Principal interface documentation so it
should not be trusted.
Here is the stacktrace of the NPE
java.lang.NullPointerException
at
org.jboss.web.tomcat.security.JBossSecurityMgrRealm.ge
tCachingPrincpal(JBossSecurityMgrRealm.java:459)
at
org.jboss.web.tomcat.security.JBossSecurityMgrRealm.au
thenticate(JBossSecurityMgrRealm.java:286)
at
org.apache.catalina.authenticator.BasicAuthenticator.aut
henticate(BasicAuthenticator.java:129)
at
org.apache.catalina.authenticator.AuthenticatorBase.inv
oke(AuthenticatorBase.java:504)
at
org.apache.catalina.core.StandardValveContext.invokeNe
xt(StandardValveContext.java:102)
at
org.apache.catalina.core.StandardPipeline.invoke
(StandardPipeline.java:520)
at
org.apache.catalina.core.StandardHostValve.invoke
(StandardHostValve.java:137)
at
org.apache.catalina.core.StandardValveContext.invokeNe
xt(StandardValveContext.java:104)
at
org.apache.catalina.valves.ErrorReportValve.invoke
(ErrorReportValve.java:117)
at
org.apache.catalina.core.StandardValveContext.invokeNe
xt(StandardValveContext.java:102)
at
org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.in
voke(CachedConnectionValve.java:92)
at
org.apache.catalina.core.StandardValveContext.invokeNe
xt(StandardValveContext.java:102)
at
org.apache.catalina.core.StandardPipeline.invoke
(StandardPipeline.java:520)
at
org.apache.catalina.core.StandardEngineValve.invoke
(StandardEngineValve.java:109)
at
org.apache.catalina.core.StandardValveContext.invokeNe
xt(StandardValveContext.java:104)
at
org.apache.catalina.core.StandardPipeline.invoke
(StandardPipeline.java:520)
at
org.apache.catalina.core.ContainerBase.invoke
(ContainerBase.java:929)
at
org.apache.coyote.tomcat5.CoyoteAdapter.service
(CoyoteAdapter.java:160)
at
org.apache.coyote.http11.Http11Processor.process
(Http11Processor.java:799)
at
org.apache.coyote.http11.Http11Protocol$Http11Connec
tionHandler.processConnection(Http11Protocol.java:705)
at
org.apache.tomcat.util.net.TcpWorkerThread.runIt
(PoolTcpEndpoint.java:577)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunna
ble.run(ThreadPool.java:683)
at java.lang.Thread.run(Unknown Source)
/Johan Hammar
----------------------------------------------------------------------
>Comment By: Johan Hammar (daemon23)
Date: 2004-08-26 17:14
Message:
Logged In: YES
user_id=811429
The null-check is a good improvement. However in this
particular case it will actually hide the root problem even
more. Under the conditions I mentioned above a user with a
set of assigned roles will now be successfully authenticated
but the roles will be lost in the process of authentication.
To clarify this I have attached a file containing three
stacktraces, all including a stackframe of
JBossSecurityMgrRealm.authenticate().
The line numbers are still from 3.2.6RC1.
The first stacktrace shows how an instance of SimplePrincipal
gets inserted as a key into the internal HashMap of
TimedCachePolicy.
The second stacktrace shows how the same SimplePrincipal
instance is used to lookup the actual CallerPrincipal instance.
The CallerPrincipal is found and returned in
JaasSecurityManager line 276. At this point the Principal
reference in JBossSecurityMGRRealm.authenticate() is
switched and now references the found CallerPrincipal
instance.
The third StackTrace shows how
JBossSecurityMGRRealm.getCachingPrincpal() tries to get the
roles assigned to the user by sending the CallerPrincipal
instance as argument to the RealmMapping.getUserRoles().
This call ends up in a lookup in the HashMap of
TimedCachePolicy mentioned earlier. Since the
hashCode/equals implementation of the CallerPrincipal yields
different results than SimplePrincipal the lookup fails.
Consequently the roles reference returned to
JBossSecurityMGRRealm.getCachingPrincpal() is null.
/Johan Hammar
----------------------------------------------------------------------
Comment By: Scott M Stark (starksm)
Date: 2004-08-23 23:07
Message:
Logged In: YES
user_id=175228
Its not clear this is due to the princpal equals/hashCode
implementation. There was an expectation that an
authenticated user has associated roles and if this was not
the case the NPE resulted. The NPE has been addressed.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=376685&aid=1014373&group_id=22866
-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
JBoss-Development mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-development
