[jbossws-issues] [JBoss JIRA] Commented: (JBWS-2820) NullPointer Exception in Metro Stack when user has insufficent permissions to call a webservice method

NullPointer Exception in Metro Stack when user has insufficent permissions to call a webservice method ------------------------------------------------------------------------------------------------------ Key: JBWS-2820 URL: https://jira.jboss.org/jira/browse/JBWS-2820 Project: JBoss Web Services Issue Type: Bug Security Level: Public(Everyone can see) Components: jbossws-metro Affects Versions: jbossws-metro-3.1.1 Environment: Windows Vista JBoss 4.2.3.GA JBossWS Metro 3.1.1 Reporter: KickMeToAndy Fix For: jbossws-metro-3.3 Hello, we have a webservice that is protected via a custom LoginModule. To protect the individual Methods we use the annotation @RolesAllowed. Now if we call a webservice for which a user has insufficient privileges we get the following exception 18:07:42,608 ERROR [http-127.0.0.1-9080-1] [RoleBasedAuthorizationInterceptor] Insufficient permissions, principal=blubb, requiredRoles=[someRole], principalRol es=[nochwas, rechnungsempfaengerLesen] 07:54:33,863 ERROR [http-127.0.0.1-9080-1] [EndpointMethodHandler] java.lang.NullPointerException at org.jboss.wsf.stack.metro.InvokerEJB3.handleException(InvokerEJB3.java:127) at org.jboss.wsf.stack.metro.InvokerEJB3.invoke(InvokerEJB3.java:106) at com.sun.xml.ws.server.InvokerTube$2.invoke(InvokerTube.java:146) at com.sun.xml.ws.server.sei.EndpointMethodHandler.invoke(EndpointMethodHandler.java:257) at com.sun.xml.ws.server.sei.SEIInvokerTube.processRequest(SEIInvokerTube.java:93) at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:598) at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:557) at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:542) at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:439) at com.sun.xml.ws.api.pipe.helper.AbstractTubeImpl.process(AbstractTubeImpl.java:112) at org.jboss.wsf.stack.metro.log.DumpPipe.process(DumpPipe.java:94) at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:115) at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:598) at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:557) at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:542) at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:439) at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:243) at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:444) at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:244) at com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(ServletAdapter.java:135) at org.jboss.wsf.stack.metro.RequestHandlerImpl.doPost(RequestHandlerImpl.java:225) at org.jboss.wsf.stack.metro.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:82) at org.jboss.wsf.common.servlet.AbstractEndpointServlet.service(AbstractEndpointServlet.java:85) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446) at java.lang.Thread.run(Unknown Source) I have debugged the problem and the problems is the following: The problem is the following method in the InvokerEJB3 class of the jbossws metro stack: private void handleException(Exception ex) throws InvocationTargetException, IllegalAccessException { //Unwrap EJBException if (ex instanceof EJBException) ex = ((EJBException)ex).getCausedByException(); ..... } The ex variable that gets passed into the method is a javax.ejb.EJBAccessException (with the message "Authorization failure"). The problem is that the expression > ((EJBException)ex).getCausedByException() returns null for the exception, becuase it does not have a causeException! later in the method the call > if (ex.getClass().isAnnotationPresent(WebFault.class)) results in a nullpointer exception, because ex is null (because there was no root cause). At the moment the method always expects a cause Exception if the exception passed to the method is a EJBException! cheers, andy