Shiro
  1. Shiro
  2. SHIRO-141

Problem with WebRememberMeManager

    Details

      Description

      I executed the following code to see if I needed to get the current user again after logging out:
      Subject currentUser;
      currentUser = SecurityUtils.getSubject(); // < --No exception
      currentUser = SecurityUtils.getSubject(); // < --No exception
      currentUser.logout(); // < --No exception
      currentUser = SecurityUtils.getSubject(); // < --EXCEPTION

      Resulting in the application throwing a NullPointerException from WebRememberMeManager.

      Here is the stack trace: (I'm currently trying to learn how to install and use JUnit)

      32046 [btpool0-1] WARN org.apache.shiro.mgt.DefaultSecurityManager - Delegate RememberMeManager instance of type [org.apache.shiro.web.WebRememberMeManager] threw an exception during getRememberedPrincipals().
      java.lang.NullPointerException
      at org.apache.shiro.web.attr.CookieAttribute.getCookie(CookieAttribute.java:262)
      at org.apache.shiro.web.attr.CookieAttribute.removeValue(CookieAttribute.java:357)
      at org.apache.shiro.web.WebRememberMeManager.forgetIdentity(WebRememberMeManager.java:320)
      at org.apache.shiro.web.WebRememberMeManager.forgetIdentity(WebRememberMeManager.java:316)
      at org.apache.shiro.mgt.AbstractRememberMeManager.onRememberedPrincipalFailure(AbstractRememberMeManager.java:547)
      at org.apache.shiro.mgt.AbstractRememberMeManager.getRememberedPrincipals(AbstractRememberMeManager.java:488)
      at org.apache.shiro.mgt.DefaultSecurityManager.getRememberedIdentity(DefaultSecurityManager.java:598)
      at org.apache.shiro.mgt.DefaultSecurityManager.resolvePrincipals(DefaultSecurityManager.java:486)
      at org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:363)
      at org.apache.shiro.subject.Subject$Builder.buildSubject(Subject.java:751)
      at org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:57)
      at burp_erp_t1.TestShiroServlet.login(TestShiroServlet.java:43)
      at burp_erp_t1.TestShiroServlet.doPost(TestShiroServlet.java:24)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:713)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
      at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:487)
      at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1093)
      at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:373)
      at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:306)
      at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:81)
      at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1084)
      at com.google.appengine.api.blobstore.dev.ServeBlobFilter.doFilter(ServeBlobFilter.java:51)
      at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1084)
      at com.google.apphosting.utils.servlet.TransactionCleanupFilter.doFilter(TransactionCleanupFilter.java:43)
      at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1084)
      at com.google.appengine.tools.development.StaticFileFilter.doFilter(StaticFileFilter.java:121)
      at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1084)
      at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:360)
      at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
      at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
      at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:712)
      at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405)
      at com.google.apphosting.utils.jetty.DevAppEngineWebAppContext.handle(DevAppEngineWebAppContext.java:70)
      at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)
      at com.google.appengine.tools.development.JettyContainerService$ApiProxyHandler.handle(JettyContainerService.java:352)
      at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)
      at org.mortbay.jetty.Server.handle(Server.java:313)
      at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:506)
      at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:844)
      at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:644)
      at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211)
      at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:381)
      at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:396)
      at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:442)

      1. shiro141.zip
        29 kB
        Allan Ditzel
      2. MyWebRememberMeManager.java
        2 kB
        bartolomeo sorrentino

        Issue Links

          Activity

          Hide
          Les Hazlewood added a comment -

          Closing all resolved issues due to a successful 1.0.0-incubating release

          Show
          Les Hazlewood added a comment - Closing all resolved issues due to a successful 1.0.0-incubating release
          Hide
          Les Hazlewood added a comment -

          Resolved two weeks ago with continued testing - all looks well

          Show
          Les Hazlewood added a comment - Resolved two weeks ago with continued testing - all looks well
          Hide
          Les Hazlewood added a comment -

          Hi Peter,

          I committed a fix for this today. But before I resolve it, I want to understand the two stack traces you posted in your comment. Please see the dev list for a follow up discussion. Thanks!

          • Les
          Show
          Les Hazlewood added a comment - Hi Peter, I committed a fix for this today. But before I resolve it, I want to understand the two stack traces you posted in your comment. Please see the dev list for a follow up discussion. Thanks! Les
          Hide
          Les Hazlewood added a comment -

          Natalie et. al.

          You're in luck! Now that the cryptography work has finally been committed, this issue is my highest priority. I hope to have it done today or tomorrow

          Cheers,

          Les

          Show
          Les Hazlewood added a comment - Natalie et. al. You're in luck! Now that the cryptography work has finally been committed, this issue is my highest priority. I hope to have it done today or tomorrow Cheers, Les
          Hide
          bartolomeo sorrentino added a comment -

          Hi

          i've developed a simple workaround to avoid the exception

          attached, there is a simple WebRememberMeManager specialization

          To configure it , use the following configuration

          myRememberMeManager = MyWebRememberMeManager

          securityManager.rememberMeManager = $myRememberMeManager

          Hope this help meanwhile to have an official fix

          Show
          bartolomeo sorrentino added a comment - Hi i've developed a simple workaround to avoid the exception attached, there is a simple WebRememberMeManager specialization To configure it , use the following configuration myRememberMeManager = MyWebRememberMeManager securityManager.rememberMeManager = $myRememberMeManager Hope this help meanwhile to have an official fix
          Hide
          Natalie Metzger added a comment -

          Hi Les,

          any update on this? I'd like to use this feature without running into an error, and I'm supposed to go live in a little bit more than a month.

          So... no pressure

          Thanks!

          Show
          Natalie Metzger added a comment - Hi Les, any update on this? I'd like to use this feature without running into an error, and I'm supposed to go live in a little bit more than a month. So... no pressure Thanks!
          Hide
          Allan Ditzel added a comment -

          Les, the attached file has a very simple web project that generates the error reported in the bug. The realm implementation will authenticate anyone just to allow the error to occur.

          Show
          Allan Ditzel added a comment - Les, the attached file has a very simple web project that generates the error reported in the bug. The realm implementation will authenticate anyone just to allow the error to occur.
          Hide
          Les Hazlewood added a comment -

          Moving to 1.0.0 to ensure this is resolved prior to the 1.0 release

          Show
          Les Hazlewood added a comment - Moving to 1.0.0 to ensure this is resolved prior to the 1.0 release
          Hide
          Natalie Metzger added a comment - - edited

          Hi all,

          as I see it, the problem is somewhat deeper. I have a web application, and my subject is a DelegatingSubject with a DefaultWebSecurityManager. Once I call the login() method on this subject, the associated RememberMeManager is unknown as DefaultSecurityManager.login() is called. Shouldn't you override login() for the DefaultWebSecurityManager to make sure that the correct RememberMeManager is set?

          Natalie

          Show
          Natalie Metzger added a comment - - edited Hi all, as I see it, the problem is somewhat deeper. I have a web application, and my subject is a DelegatingSubject with a DefaultWebSecurityManager. Once I call the login() method on this subject, the associated RememberMeManager is unknown as DefaultSecurityManager.login() is called. Shouldn't you override login() for the DefaultWebSecurityManager to make sure that the correct RememberMeManager is set? Natalie
          Hide
          Peter Ledbrook added a comment -
          java.lang.NullPointerException
          	at org.apache.shiro.web.attr.CookieAttribute.getCookie(CookieAttribute.java:262)
          	at org.apache.shiro.web.attr.CookieAttribute.removeValue(CookieAttribute.java:357)
          	at org.apache.shiro.web.WebRememberMeManager.forgetIdentity(WebRememberMeManager.java:320)
          	at org.apache.shiro.web.WebRememberMeManager.forgetIdentity(WebRememberMeManager.java:316)
          	at org.apache.shiro.mgt.AbstractRememberMeManager.onRememberedPrincipalFailure(AbstractRememberMeManager.java:547)
          	at org.apache.shiro.mgt.AbstractRememberMeManager.getRememberedPrincipals(AbstractRememberMeManager.java:488)
          	at org.apache.shiro.mgt.DefaultSecurityManager.getRememberedIdentity(DefaultSecurityManager.java:598)
          	at org.apache.shiro.mgt.DefaultSecurityManager.resolvePrincipals(DefaultSecurityManager.java:486)
          	at org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:363)
          	at org.apache.shiro.subject.Subject$Builder.buildSubject(Subject.java:751)
          	at org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:57)
          	at org.apache.shiro.web.servlet.ShiroHttpServletRequest.getSubject(ShiroHttpServletRequest.java:98)
          	at org.apache.shiro.web.servlet.ShiroHttpServletRequest.getSubjectPrincipal(ShiroHttpServletRequest.java:103)
          	at org.apache.shiro.web.servlet.ShiroHttpServletRequest.getUserPrincipal(ShiroHttpServletRequest.java:121)
          	at org.springframework.web.servlet.FrameworkServlet.getUsernameForRequest(FrameworkServlet.java:711)
          	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:686)
          	at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:552)
          

          and

          java.lang.NullPointerException
          	at org.apache.shiro.web.attr.CookieAttribute.getCookie(CookieAttribute.java:262)
          	at org.apache.shiro.web.attr.CookieAttribute.removeValue(CookieAttribute.java:357)
          	at org.apache.shiro.web.WebRememberMeManager.forgetIdentity(WebRememberMeManager.java:320)
          	at org.apache.shiro.web.WebRememberMeManager.forgetIdentity(WebRememberMeManager.java:316)
          	at org.apache.shiro.mgt.AbstractRememberMeManager.onRememberedPrincipalFailure(AbstractRememberMeManager.java:547)
          	at org.apache.shiro.mgt.AbstractRememberMeManager.getRememberedPrincipals(AbstractRememberMeManager.java:488)
          	at org.apache.shiro.mgt.DefaultSecurityManager.getRememberedIdentity(DefaultSecurityManager.java:598)
          	at org.apache.shiro.mgt.DefaultSecurityManager.resolvePrincipals(DefaultSecurityManager.java:486)
          	at org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:363)
          	at org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:198)
          	at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:315)
          	at org.apache.shiro.subject.DelegatingSubject.login(DelegatingSubject.java:249)
          
          Show
          Peter Ledbrook added a comment - java.lang.NullPointerException at org.apache.shiro.web.attr.CookieAttribute.getCookie(CookieAttribute.java:262) at org.apache.shiro.web.attr.CookieAttribute.removeValue(CookieAttribute.java:357) at org.apache.shiro.web.WebRememberMeManager.forgetIdentity(WebRememberMeManager.java:320) at org.apache.shiro.web.WebRememberMeManager.forgetIdentity(WebRememberMeManager.java:316) at org.apache.shiro.mgt.AbstractRememberMeManager.onRememberedPrincipalFailure(AbstractRememberMeManager.java:547) at org.apache.shiro.mgt.AbstractRememberMeManager.getRememberedPrincipals(AbstractRememberMeManager.java:488) at org.apache.shiro.mgt.DefaultSecurityManager.getRememberedIdentity(DefaultSecurityManager.java:598) at org.apache.shiro.mgt.DefaultSecurityManager.resolvePrincipals(DefaultSecurityManager.java:486) at org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:363) at org.apache.shiro.subject.Subject$Builder.buildSubject(Subject.java:751) at org.apache.shiro.SecurityUtils.getSubject(SecurityUtils.java:57) at org.apache.shiro.web.servlet.ShiroHttpServletRequest.getSubject(ShiroHttpServletRequest.java:98) at org.apache.shiro.web.servlet.ShiroHttpServletRequest.getSubjectPrincipal(ShiroHttpServletRequest.java:103) at org.apache.shiro.web.servlet.ShiroHttpServletRequest.getUserPrincipal(ShiroHttpServletRequest.java:121) at org.springframework.web.servlet.FrameworkServlet.getUsernameForRequest(FrameworkServlet.java:711) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:686) at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:552) and java.lang.NullPointerException at org.apache.shiro.web.attr.CookieAttribute.getCookie(CookieAttribute.java:262) at org.apache.shiro.web.attr.CookieAttribute.removeValue(CookieAttribute.java:357) at org.apache.shiro.web.WebRememberMeManager.forgetIdentity(WebRememberMeManager.java:320) at org.apache.shiro.web.WebRememberMeManager.forgetIdentity(WebRememberMeManager.java:316) at org.apache.shiro.mgt.AbstractRememberMeManager.onRememberedPrincipalFailure(AbstractRememberMeManager.java:547) at org.apache.shiro.mgt.AbstractRememberMeManager.getRememberedPrincipals(AbstractRememberMeManager.java:488) at org.apache.shiro.mgt.DefaultSecurityManager.getRememberedIdentity(DefaultSecurityManager.java:598) at org.apache.shiro.mgt.DefaultSecurityManager.resolvePrincipals(DefaultSecurityManager.java:486) at org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:363) at org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:198) at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:315) at org.apache.shiro.subject.DelegatingSubject.login(DelegatingSubject.java:249)
          Hide
          Peter Ledbrook added a comment -

          I'm still seeing this in the Shiro plugin functional tests with the latest code. I have noticed three distinct paths to CookieAttribute.getCookie(), all of which relate to creating the subject:

          1. via WebSubject.Builder
          2. via Subject.Builder
          3. via DefaultSecuritymanager.login()

          Only the first of these adds the request and response to the subject context, so an NPE is thrown whenever the latter two paths is taken.

          Show
          Peter Ledbrook added a comment - I'm still seeing this in the Shiro plugin functional tests with the latest code. I have noticed three distinct paths to CookieAttribute.getCookie() , all of which relate to creating the subject: via WebSubject.Builder via Subject.Builder via DefaultSecuritymanager.login() Only the first of these adds the request and response to the subject context, so an NPE is thrown whenever the latter two paths is taken.
          Hide
          Chris Dutrow added a comment -

          Hey Les,

          I'll get to this as soon as I can, I'm off on Thursdays and Fridays and I work weekends so today is going to be a little sporadic, I may or may not be able to find some time this evening though. -Just wanted to give you a heads up.

          Chris

          Show
          Chris Dutrow added a comment - Hey Les, I'll get to this as soon as I can, I'm off on Thursdays and Fridays and I work weekends so today is going to be a little sporadic, I may or may not be able to find some time this evening though. -Just wanted to give you a heads up. Chris
          Hide
          Les Hazlewood added a comment -

          From a comment on the mailing list that appears to be related to this issue (DefaultSecurityManager#unbind was clearing the Subject from the thread - web apps apparently need this so they can continue to access the ServletRequest/Response attached to the WebSubject instance):

          "I don't fully understand this code or the possible negative repercussions of
          this fix, but this function threw a NullPointerException for me, so I made
          it so it wouldn't do that anymore by adding code for it to check if
          "request==null" before attempting to call request.getCookies();

          Is this ok? If it is, could it be added to the code base so that the next
          time I update from SVN, it doesn't write over my fix?

          private static Cookie getCookie(HttpServletRequest request, String
          cookieName) {
          Cookie cookies[] = null;
          if( request != null )

          { cookies = request.getCookies(); }

          if (cookies != null) {
          for (Cookie cookie : cookies) {
          if (cookie.getName().equals(cookieName))

          { return cookie; }

          }
          }
          return null;
          }
          "

          Show
          Les Hazlewood added a comment - From a comment on the mailing list that appears to be related to this issue (DefaultSecurityManager#unbind was clearing the Subject from the thread - web apps apparently need this so they can continue to access the ServletRequest/Response attached to the WebSubject instance): "I don't fully understand this code or the possible negative repercussions of this fix, but this function threw a NullPointerException for me, so I made it so it wouldn't do that anymore by adding code for it to check if "request==null" before attempting to call request.getCookies(); Is this ok? If it is, could it be added to the code base so that the next time I update from SVN, it doesn't write over my fix? private static Cookie getCookie(HttpServletRequest request, String cookieName) { Cookie cookies[] = null; if( request != null ) { cookies = request.getCookies(); } if (cookies != null) { for (Cookie cookie : cookies) { if (cookie.getName().equals(cookieName)) { return cookie; } } } return null; } "
          Hide
          Les Hazlewood added a comment -

          Chris, I just committed a quick fix to this that appears to work - can you please verify? I still need to write a unit test for this before I close out the issue, but I'd like confirmation if you can try it out. Thanks!

          Show
          Les Hazlewood added a comment - Chris, I just committed a quick fix to this that appears to work - can you please verify? I still need to write a unit test for this before I close out the issue, but I'd like confirmation if you can try it out. Thanks!

            People

            • Assignee:
              Les Hazlewood
              Reporter:
              Chris Dutrow
            • Votes:
              2 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development