[ 
https://issues.apache.org/jira/browse/OAK-8229?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Davide Giannella closed OAK-8229.
---------------------------------

bulk close 1.14.0

> LoginModuleImpl.commit will end in NPE if credentials are null
> --------------------------------------------------------------
>
>                 Key: OAK-8229
>                 URL: https://issues.apache.org/jira/browse/OAK-8229
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: core, security
>            Reporter: angela
>            Assignee: angela
>            Priority: Major
>             Fix For: 1.14.0
>
>
> [~stillalex], i spotted an NPE with {{LoginModuleImpl.commit}} under the 
> following circumstances:
> - no {{Credentials}} have been extracted during the login() (see 
> {{getCredentials}}
> - if the {{Subject}} is not read-only commit() will add the null credentials 
> objects to the public credentials set
> - the subsequent attempt to also add the {{AuthInfo}} will result in a NPE.
> the fix should be fairly easy, avoiding pushing null credentials to the 
> subject
> {code}
> if (!subject.isReadOnly()) {
>                 Set<Principal> principals = subject.getPrincipals();
>                 if (principal != null) {
>                     principals.addAll(getPrincipals(principal));
>                 } else if (userId != null) {
>                     principals.addAll(getPrincipals(userId));
>                 }
> // FIX: extra check for null
>                 if (credentials != null) {
>                     subject.getPublicCredentials().add(credentials);
>                 }
>                 setAuthInfo(createAuthInfo(principals), subject);
>             } else {
>                 log.debug("Could not add information to read only subject 
> {}", subject);
>             }
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to