geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff Genender (JIRA)" <...@geronimo.apache.org>
Subject [jira] Commented: (GERONIMO-646) Servlet calling HttpServletRequest.isUserInRole(null) causes NPE using Jetty container
Date Fri, 27 May 2005 06:41:51 GMT
     [ http://issues.apache.org/jira/browse/GERONIMO-646?page=comments#action_66426 ]
     
Jeff Genender commented on GERONIMO-646:
----------------------------------------

For the JAASJettyRealm, I altered your patches slightly.  I changed the isUserInRole to test
if the user or role is null and return false if so.  Tomcat handles it this way.  Thanks for
the heads up on this.

The empty String for a role should be caught by the checkPermission() call right afterwards.

Relative to the WebRoleRefPermission, the JavaDoc/spec makes no mention of an IllegalArgumentException
that should be thrown.  Although an IllegalArgumentException is a RuntimeException, so its
not required to be documented as thrown...Sun is pretty good at describing when an IllegalArgumentException
should be thrown.  

What I am getting at here is the WebRoleRefPermission is a Sun spec class and I would want
to get adc and/or David Jencks' input on this before I would consider implementing this change.
 In the mean time, the above patch for the JAASJettyRealm should prevent this from getting
called in any case, since a null role would never make it to the WebRoleRefPermission.

> Servlet calling HttpServletRequest.isUserInRole(null) causes NPE using Jetty container
> --------------------------------------------------------------------------------------
>
>          Key: GERONIMO-646
>          URL: http://issues.apache.org/jira/browse/GERONIMO-646
>      Project: Geronimo
>         Type: Bug
>   Components: web
>     Versions: 1.0-M4
>  Environment: All
>     Reporter: Tom McQueeney
>     Priority: Minor
>  Attachments: JAASJettyRealm-patch.txt, WebRoleRefPermission-patch.txt, WebRoleRefPermissionTest-patch.txt
>
> The servlet isUserInRole call eventually gets delegated to
> org.apache.geronimo.jetty.JAASJettyRealm.isUserInRole, which causes a NPE in 
> javax.security.jacc.WebRoleRefPermission.hashCode().
> JAASJettyRealm.isUserInRole creates a WebRoleRefPermission, passing it the 
> null role that it was passed, then delegates the role check to 
> java.security.AccessControlContext.checkPermission, passing it the WebRoleRefPermission.
> When the web role ref permission gets checked, eventually its hashcode method is called,
> which tries to compute the hash by getting the hashcode of the (null) role name,
> which throws the NPE.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message