[jboss-jira] [JBoss JIRA] (SECURITY-642) UsernamePasswordLM causes NPE in SecurityVaultUtil when user provides wrong username

Stefan Guilhen created SECURITY-642: --------------------------------------- Summary: UsernamePasswordLM causes NPE in SecurityVaultUtil when user provides wrong username Key: SECURITY-642 URL: https://issues.jboss.org/browse/SECURITY-642 Project: PicketBox (JBoss Security and Identity Management) Issue Type: Bug Security Level: Public (Everyone can see) Affects Versions: PicketBox_v4_0_6.Beta2 Reporter: Stefan Guilhen Assignee: Anil Saldhana Fix For: PicketBox_v4_0_6 Application is protected by a security domain that uses the UsersRolesLoginModule. If the user attempts a login with the right username and wrong pw, the login fails and the message in the AS7 logs display the correct reason for auth failure. However, if the user supplies an username that has not been added to the users.properties file, the login fails and the AS7 logs display an NPE instead of the correct reason message: 15:33:37,622 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) Login failure: javax.security.auth.login.LoginException: java.lang.NullPointerException at org.jboss.security.vault.SecurityVaultUtil.isVaultFormat(SecurityVaultUtil.java:59) at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:250) at org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLoginModule.java:155) The relevant code in UsernamePasswordLoginModule is this: String expectedPassword = getUsersPassword(); //Check if the password is vaultified if(SecurityVaultUtil.isVaultFormat(expectedPassword)) { try { expectedPassword = SecurityVaultUtil.getValueAsString(expectedPassword); } catch (SecurityVaultException e) { LoginException le = new LoginException(ErrorCodes.PROCESSING_FAILED + "Unable to get the password value from vault"); le.initCause(e); throw le; } } The problem occurs because getUsersPassword() returns null since the properties file doesn't have a property that matches the supplied username. We need to verify if the expectedPassword is null before calling the vault util or change the vault util method to check for a null param. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira