]
Ilia Vassilev updated ELY-738:
------------------------------
Fix Version/s: 1.1.0.Beta15
Coverity static analysis: Dereference null return value in
SingleSignOnServerMechanismFactory (Elytron)
-------------------------------------------------------------------------------------------------------
Key: ELY-738
URL:
https://issues.jboss.org/browse/ELY-738
Project: WildFly Elytron
Issue Type: Bug
Reporter: Josef Cacek
Assignee: Ilia Vassilev
Labels: static_analysis
Fix For: 1.1.0.Beta15
Coverity static-analysis scan found possible call on null object in
{{SingleSignOnServerMechanismFactory.evaluateRequst()}} method:
{code}
getTargetMechanism(mechanismName,
singleSignOnSession).evaluateRequest(createHttpServerRequest(request,
singleSignOnSession));
{code}
https://scan7.coverity.com/reports.htm#v16159/p11778/fileInstanceId=57602...
The problem is the {{getTargetMechanism}} call, which just calls an
{{HttpServerAuthenticationMechanismFactory.createAuthenticationMechanism()}} method.
The {{createAuthenticationMechanism}} doesn't declare it could return null,
nevertheless, the implementations use null as fallback (e.g. look at
{{ServerMechanismFactoryImpl.createAuthenticationMechanism()}})
*Suggested improvement*
I see 2 possible solutions:
1. Declare in javadoc of
{{HttpServerAuthenticationMechanismFactory.createAuthenticationMechanism()}} method, that
it can return null and add the null-check into the
{{SingleSignOnServerMechanismFactory.evaluateRequst()}} method
2. or throw an exception from
{{HttpServerAuthenticationMechanismFactory.createAuthenticationMechanism()}}
implementations instead of returning null