Re: RFR: 8282730: LdapLoginModule throw NPE from logout method after login failure

Weijun Wang Fri, 08 Jul 2022 06:21:56 -0700

On Fri, 1 Jul 2022 17:31:06 GMT, Weijun Wang <wei...@openjdk.org> wrote:


> Add null-checks in all `LoginModule` implementations. It's possible that an 
> application calls `logout` after a login failure, where most internal 
> variables for principals and credentials are null and removing a null from 
> the `Subject`'s principals and credentials sets will trigger a 
> `NullPointerException`.

src/jdk.security.auth/share/classes/com/sun/security/auth/module/JndiLoginModule.java
 line 485:

> 483:         if (supplementaryGroups != null) {
> 484:             for (int i = 0; i < supplementaryGroups.size(); i++) {
> 485:                 
> subject.getPrincipals().remove(supplementaryGroups.get(i));

To be safest, I can check if `supplementaryGroups.get(i)` is null too. Same in 
`NTLoginModule` and `UnixLoginModule`.

src/jdk.security.auth/share/classes/com/sun/security/auth/module/NTLoginModule.java
 line 368:

> 366:         }
> 367:         if (groups != null) {
> 368:             for (int i = 0; groups != null && i < groups.length; i++) {

Oops, `groups != null` is already checked here. Will revert.

-------------

PR: https://git.openjdk.org/jdk/pull/9348

Re: RFR: 8282730: LdapLoginModule throw NPE from logout method after login failure

Reply via email to