On Mon, 11 Jul 2022 20:09:31 GMT, Sean Mullan <[email protected]> wrote:
>> Add null-checks in all `LoginModule` implementations. It's possible that an
>> application calls `logout` after a login failure, where most internal
>> variables for principals and credentials are null and removing a null from
>> the `Subject`'s principals and credentials sets will trigger a
>> `NullPointerException`.
>
> test/jdk/javax/security/auth/login/modules/SafeLogout.java line 37:
>
>> 35: * @bug 8282730
>> 36: * @key randomness
>> 37: * @summary LdapLoginModule throw NPE from logout method after login
>> failure
>
> I think the summary can be more descriptive here and doesn't have to match
> the bug description. How about "Check that all LoginModule implementations
> don't throw NPE from logout method after login failure"
OK.
> test/jdk/javax/security/auth/login/modules/SafeLogout.java line 51:
>
>> 49:
>> 50: static void test(int pos) throws Exception {
>> 51: // Create random JAAS login config.
>
> I'm probably missing something obvious, but can you explain why this test
> uses a random login config? I would add some comments explaining that more.
I cannot find a way to test all combinations so I make it random. If it really
fails I make sure the login module name, flag, and whether there is a login
attempt are printed out so I can reproduce it.
-------------
PR: https://git.openjdk.org/jdk/pull/9348
