[jbossws-issues] [JBoss JIRA] Updated: (JBWS-2820) NPE when user has insufficent permissions to call a webservice method

Richard Opalka (JIRA) jira-events at lists.jboss.org
Wed Dec 16 04:47:30 EST 2009 

     [ https://jira.jboss.org/jira/browse/JBWS-2820?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Richard Opalka updated JBWS-2820:
---------------------------------

    Summary: NPE when user has insufficent permissions to call a webservice method  (was: NullPointer Exception in Metro Stack when user has insufficent permissions to call a webservice method)


> NPE when user has insufficent permissions to call a webservice method
> ---------------------------------------------------------------------
>
>                 Key: JBWS-2820
>                 URL: https://jira.jboss.org/jira/browse/JBWS-2820
>             Project: JBoss Web Services
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: jbossws-metro
>    Affects Versions:  jbossws-metro-3.1.1
>         Environment: Windows Vista
> JBoss 4.2.3.GA
> JBossWS Metro 3.1.1
>            Reporter: Andreas Wuest
>            Assignee: Jim Ma
>             Fix For:  jbossws-metro-3.2.2
>
>         Attachments: InvokerEJB3.java.new.patch, InvokerEJB3.java.patch, InvokerEJB3Test.java
>
>
> Hello,
> we have a webservice that is protected via a custom LoginModule. To protect the individual Methods
> we use the annotation @RolesAllowed. Now if we call a webservice for which a user has insufficient
> privileges we get the following exception 
> 18:07:42,608 ERROR [http-127.0.0.1-9080-1] [RoleBasedAuthorizationInterceptor] Insufficient permissions, principal=blubb, requiredRoles=[someRole], principalRol
> es=[nochwas, rechnungsempfaengerLesen]
> 07:54:33,863 ERROR [http-127.0.0.1-9080-1] [EndpointMethodHandler]
> java.lang.NullPointerException
>         at org.jboss.wsf.stack.metro.InvokerEJB3.handleException(InvokerEJB3.java:127)
>         at org.jboss.wsf.stack.metro.InvokerEJB3.invoke(InvokerEJB3.java:106)
>         at com.sun.xml.ws.server.InvokerTube$2.invoke(InvokerTube.java:146)
>         at com.sun.xml.ws.server.sei.EndpointMethodHandler.invoke(EndpointMethodHandler.java:257)
>         at com.sun.xml.ws.server.sei.SEIInvokerTube.processRequest(SEIInvokerTube.java:93)
>         at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:598)
>         at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:557)
>         at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:542)
>         at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:439)
>         at com.sun.xml.ws.api.pipe.helper.AbstractTubeImpl.process(AbstractTubeImpl.java:112)
>         at org.jboss.wsf.stack.metro.log.DumpPipe.process(DumpPipe.java:94)
>         at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:115)
>         at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:598)
>         at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:557)
>         at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:542)
>         at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:439)
>         at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:243)
>         at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:444)
>         at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:244)
>         at com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(ServletAdapter.java:135)
>         at org.jboss.wsf.stack.metro.RequestHandlerImpl.doPost(RequestHandlerImpl.java:225)
>         at org.jboss.wsf.stack.metro.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:82)
>         at org.jboss.wsf.common.servlet.AbstractEndpointServlet.service(AbstractEndpointServlet.java:85)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>         at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
>         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>         at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
>         at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
>         at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
>         at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
>         at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>         at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>         at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
>         at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>         at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
>         at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
>         at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>         at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
>         at java.lang.Thread.run(Unknown Source)
> I have debugged the problem and the problems is the following:
> The problem is the following method in the InvokerEJB3 class of the jbossws metro stack:
>    private void handleException(Exception ex)
>    throws InvocationTargetException, IllegalAccessException
>    {
>       //Unwrap EJBException
>       if (ex instanceof EJBException)
>          ex = ((EJBException)ex).getCausedByException();
>        
>         .....
>    }
> The ex variable that gets passed into the method is a 
> javax.ejb.EJBAccessException (with the message  "Authorization failure").
> The problem is that  the expression
> >  ((EJBException)ex).getCausedByException()
> returns null for the exception, becuase it does not have a causeException!
> later in the method the call
> > if (ex.getClass().isAnnotationPresent(WebFault.class))
> results in a nullpointer exception, because ex is null (because there was no root cause).
> At the moment the method always expects a cause Exception if the
> exception passed to the method is a EJBException!
> cheers,
> andy

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jbossws-issues mailing list