geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tom McQueeney (JIRA)" <...@geronimo.apache.org>
Subject [jira] Commented: (GERONIMO-646) Servlet calling HttpServletRequest.isUserInRole(null) causes NPE using Jetty container
Date Thu, 12 May 2005 19:20:04 GMT
     [ http://issues.apache.org/jira/browse/GERONIMO-646?page=comments#action_65172 ]
     
Tom McQueeney commented on GERONIMO-646:
----------------------------------------

I think the solution involves changing JAASJettyRealm, not the Jetty implementation.
The org.mortbay.http.HttpRequest.isUserInRole method just delegates the check to 
a UserRealm, which in this case is the JAASJettyRealm.

Proposed solution:

(1) Change WebRoleRefPermission constructor to throw an IllegalArgumentException
if the role name is null or empty. JSR 115 prohibits role from being null
or empty, so we can enforce this in the constructor.
    
(2) Change JAASJettyRealm.isUserInRole to check for invalid role names, and return false if
so.
JACC 4.1.3 implies that isUserInRole(null) should return false.
It says isUserInRole must return true if the WebRoleRefPermission 
has been granted to the caller, "[o]therwise, the return value must be false."
Better to check for invalid roles rather than catching new exception.


> Servlet calling HttpServletRequest.isUserInRole(null) causes NPE using Jetty container
> --------------------------------------------------------------------------------------
>
>          Key: GERONIMO-646
>          URL: http://issues.apache.org/jira/browse/GERONIMO-646
>      Project: Geronimo
>         Type: Bug
>   Components: web
>     Versions: 1.0-M4
>  Environment: All
>     Reporter: Tom McQueeney
>     Priority: Minor

>
> The servlet isUserInRole call eventually gets delegated to
> org.apache.geronimo.jetty.JAASJettyRealm.isUserInRole, which causes a NPE in 
> javax.security.jacc.WebRoleRefPermission.hashCode().
> JAASJettyRealm.isUserInRole creates a WebRoleRefPermission, passing it the 
> null role that it was passed, then delegates the role check to 
> java.security.AccessControlContext.checkPermission, passing it the WebRoleRefPermission.
> When the web role ref permission gets checked, eventually its hashcode method is called,
> which tries to compute the hash by getting the hashcode of the (null) role name,
> which throws the NPE.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message