JASPIAuthenticationMechanism#authenticate doesn't check if AuthenticatedSession is null --------------------------------------------------------------------------------------- Key: WFLY-3518 URL: https://issues.jboss.org/browse/WFLY-3518 Project: WildFly Issue Type: Bug Components: Security Affects Versions: 8.1.0.Final Reporter: arjan tijms Assignee: Stuart Douglas Labels: jaspic Fix For: 9.0.0.CR2, 10.0.0.Alpha1 In {{org.wildfly.extension.undertow.security.jaspi.JASPIAuthenticationMechanism#authenticate}} the variable {{authSession}} in the fragment below is frequently null, leading to null pointer exceptions: {code} if (sessionManager != null) { AuthenticatedSessionManager.AuthenticatedSession authSession = sessionManager.lookupSession(exchange); cachedAccount = authSession.getAccount(); // NPE HAPPENS HERE // if there is a cached account we set it in the security context so that the principal is available to // SAM modules via request.getUserPrincipal(). if (cachedAccount != null) { jaspicSecurityContext.setCachedAuthenticatedAccount(cachedAccount); } } {code} At another place in Undertow where {{AuthenticatedSession}} is used, there's an extra null check (See {{io.undertow.security.impl.CachedAuthenticatedSessionMechanism#runCached}}). I patched the code locally to add an extra null check: {code} if (sessionManager != null) { AuthenticatedSessionManager.AuthenticatedSession authSession = sessionManager.lookupSession(exchange); cachedAccount = authSession == null? null : authSession.getAccount(); // if there is a cached account we set it in the security context so that the principal is available to // SAM modules via request.getUserPrincipal(). if (cachedAccount != null) { jaspicSecurityContext.setCachedAuthenticatedAccount(cachedAccount); } } {code} After a short amount of testing everything seems to be okay with that extra check.