Uploaded image for project: 'Jackrabbit Oak'
  1. Jackrabbit Oak
  2. OAK-8229

LoginModuleImpl.commit will end in NPE if credentials are null

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.14.0
    • Component/s: core, security
    • Labels:
      None

      Description

      Alex Deparvu, i spotted an NPE with LoginModuleImpl.commit under the following circumstances:

      • no Credentials have been extracted during the login() (see getCredentials
      • if the Subject is not read-only commit() will add the null credentials objects to the public credentials set
      • the subsequent attempt to also add the AuthInfo will result in a NPE.

      the fix should be fairly easy, avoiding pushing null credentials to the subject

      if (!subject.isReadOnly()) {
                      Set<Principal> principals = subject.getPrincipals();
                      if (principal != null) {
                          principals.addAll(getPrincipals(principal));
                      } else if (userId != null) {
                          principals.addAll(getPrincipals(userId));
                      }
      // FIX: extra check for null
                      if (credentials != null) {
                          subject.getPublicCredentials().add(credentials);
                      }
                      setAuthInfo(createAuthInfo(principals), subject);
                  } else {
                      log.debug("Could not add information to read only subject {}", subject);
                  }
      

        Attachments

          Activity

            People

            • Assignee:
              angela Angela Schreiber
              Reporter:
              angela Angela Schreiber
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: