Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
1.5.7
-
None
-
JDK 1.5
Description
An empty UsernameToken causes a NullPointerException in WSS4J. The NullPointerException is explicitly thrown,
not the result of a programming error.
The only way for client code to handle this gracefully seems to be to catch the NullPointerException and match the
string 'illegal null input'. Perhaps returning an empty principal or throwing an IllegalArgumentException would be
more suitable.
Stack trace:
java.lang.NullPointerException: illegal null input
at org.apache.ws.security.WSUsernameTokenPrincipal.<init>(WSUsernameTokenPrincipal.java:67)
at org.apache.ws.security.WSSecurityEngine.handleUsernameToken(WSSecurityEngine.java:893)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:379)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:259)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:212)
....
Example fragment:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security soapenv:actor="http://schemas.xmlsoap.org/soap/actor/next" soapenv:mustUnderstand="0" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken>
<wsse:Username></wsse:Username>
<wsse:Password></wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<!-- some body -->
</soapenv:Body>
</soapenv:Envelope>