geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tom McQueeney (JIRA)" <...@geronimo.apache.org>
Subject [jira] Updated: (GERONIMO-646) Servlet calling HttpServletRequest.isUserInRole(null) causes NPE using Jetty container
Date Thu, 12 May 2005 19:31:05 GMT
     [ http://issues.apache.org/jira/browse/GERONIMO-646?page=all ]

Tom McQueeney updated GERONIMO-646:
-----------------------------------

    Attachment: JAASJettyRealm-patch.txt
                WebRoleRefPermission-patch.txt
                WebRoleRefPermissionTest-patch.txt

Patches for my proposed solution. Patches are for the JAASJettyRealm.isUserInRole, WebRoleRefPermission
constuctor to test for illegal role argument (also added javadocs to this class to describe
its spec requirements), and WebRoleRefPermissionTest to test the change to the WebRoleRefPermission.

> Servlet calling HttpServletRequest.isUserInRole(null) causes NPE using Jetty container
> --------------------------------------------------------------------------------------
>
>          Key: GERONIMO-646
>          URL: http://issues.apache.org/jira/browse/GERONIMO-646
>      Project: Geronimo
>         Type: Bug
>   Components: web
>     Versions: 1.0-M4
>  Environment: All
>     Reporter: Tom McQueeney
>     Priority: Minor
>  Attachments: JAASJettyRealm-patch.txt, WebRoleRefPermission-patch.txt, WebRoleRefPermissionTest-patch.txt
>
> The servlet isUserInRole call eventually gets delegated to
> org.apache.geronimo.jetty.JAASJettyRealm.isUserInRole, which causes a NPE in 
> javax.security.jacc.WebRoleRefPermission.hashCode().
> JAASJettyRealm.isUserInRole creates a WebRoleRefPermission, passing it the 
> null role that it was passed, then delegates the role check to 
> java.security.AccessControlContext.checkPermission, passing it the WebRoleRefPermission.
> When the web role ref permission gets checked, eventually its hashcode method is called,
> which tries to compute the hash by getting the hashcode of the (null) role name,
> which throws the NPE.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message