Bugs item #1014373, was opened at 2004-08-23 07:25 Message generated for change (Comment added) made by starksm You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=376685&aid=1014373&group_id=22866
Category: JBossSX Group: v3.2 >Status: Closed >Resolution: Fixed Priority: 9 Submitted By: Johan Hammar (daemon23) Assigned to: Scott M Stark (starksm) >Summary: Incorrect principal used in lookup in getCachingPrincpal() Initial Comment: When the CallerPrincipal is not a descendant of SimplePrincipal and implements it's own hashCode() and equals() methods in a different way than SimplePrincipal, a NPE is thrown in JBossSecurityMgrRealm.getCachingPrincpal(). The reason to this is that TimedCachePolicy uses an internal HashMap where in which it uses the incoming Principal objects as keys and trusts their hashCode() and equals() implementations to be compatible with the implementations of SimplePrincipal. Nothing is stated about the requirements about the hashcode() and equals() implementation in the java.security.Principal interface documentation so it should not be trusted. Here is the stacktrace of the NPE java.lang.NullPointerException at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.ge tCachingPrincpal(JBossSecurityMgrRealm.java:459) at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.au thenticate(JBossSecurityMgrRealm.java:286) at org.apache.catalina.authenticator.BasicAuthenticator.aut henticate(BasicAuthenticator.java:129) at org.apache.catalina.authenticator.AuthenticatorBase.inv oke(AuthenticatorBase.java:504) at org.apache.catalina.core.StandardValveContext.invokeNe xt(StandardValveContext.java:102) at org.apache.catalina.core.StandardPipeline.invoke (StandardPipeline.java:520) at org.apache.catalina.core.StandardHostValve.invoke (StandardHostValve.java:137) at org.apache.catalina.core.StandardValveContext.invokeNe xt(StandardValveContext.java:104) at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:117) at org.apache.catalina.core.StandardValveContext.invokeNe xt(StandardValveContext.java:102) at org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.in voke(CachedConnectionValve.java:92) at org.apache.catalina.core.StandardValveContext.invokeNe xt(StandardValveContext.java:102) at org.apache.catalina.core.StandardPipeline.invoke (StandardPipeline.java:520) at org.apache.catalina.core.StandardEngineValve.invoke (StandardEngineValve.java:109) at org.apache.catalina.core.StandardValveContext.invokeNe xt(StandardValveContext.java:104) at org.apache.catalina.core.StandardPipeline.invoke (StandardPipeline.java:520) at org.apache.catalina.core.ContainerBase.invoke (ContainerBase.java:929) at org.apache.coyote.tomcat5.CoyoteAdapter.service (CoyoteAdapter.java:160) at org.apache.coyote.http11.Http11Processor.process (Http11Processor.java:799) at org.apache.coyote.http11.Http11Protocol$Http11Connec tionHandler.processConnection(Http11Protocol.java:705) at org.apache.tomcat.util.net.TcpWorkerThread.runIt (PoolTcpEndpoint.java:577) at org.apache.tomcat.util.threads.ThreadPool$ControlRunna ble.run(ThreadPool.java:683) at java.lang.Thread.run(Unknown Source) /Johan Hammar ---------------------------------------------------------------------- >Comment By: Scott M Stark (starksm) Date: 2004-08-27 23:12 Message: Logged In: YES user_id=175228 The principal used for authentication is now used to lookup the associated roles. ---------------------------------------------------------------------- Comment By: Johan Hammar (daemon23) Date: 2004-08-26 10:10 Message: Logged In: YES user_id=811429 OK I have attached an example of a custom principal in this followup. /Johan Hammar ---------------------------------------------------------------------- Comment By: Scott M Stark (starksm) Date: 2004-08-26 08:48 Message: Logged In: YES user_id=175228 So give me an example of the custom principal in question ---------------------------------------------------------------------- Comment By: Johan Hammar (daemon23) Date: 2004-08-26 08:14 Message: Logged In: YES user_id=811429 The null-check is a good improvement. However in this particular case it will actually hide the root problem even more. Under the conditions I mentioned above a user with a set of assigned roles will now be successfully authenticated but the roles will be lost in the process of authentication. To clarify this I have attached a file containing three stacktraces, all including a stackframe of JBossSecurityMgrRealm.authenticate(). The line numbers are still from 3.2.6RC1. The first stacktrace shows how an instance of SimplePrincipal gets inserted as a key into the internal HashMap of TimedCachePolicy. The second stacktrace shows how the same SimplePrincipal instance is used to lookup the actual CallerPrincipal instance. The CallerPrincipal is found and returned in JaasSecurityManager line 276. At this point the Principal reference in JBossSecurityMGRRealm.authenticate() is switched and now references the found CallerPrincipal instance. The third StackTrace shows how JBossSecurityMGRRealm.getCachingPrincpal() tries to get the roles assigned to the user by sending the CallerPrincipal instance as argument to the RealmMapping.getUserRoles(). This call ends up in a lookup in the HashMap of TimedCachePolicy mentioned earlier. Since the hashCode/equals implementation of the CallerPrincipal yields different results than SimplePrincipal the lookup fails. Consequently the roles reference returned to JBossSecurityMGRRealm.getCachingPrincpal() is null. /Johan Hammar ---------------------------------------------------------------------- Comment By: Scott M Stark (starksm) Date: 2004-08-23 14:07 Message: Logged In: YES user_id=175228 Its not clear this is due to the princpal equals/hashCode implementation. There was an expectation that an authenticated user has associated roles and if this was not the case the NPE resulted. The NPE has been addressed. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=376685&aid=1014373&group_id=22866 ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click _______________________________________________ JBoss-Development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development