[
https://jira.jboss.org/jira/browse/JBWS-2820?page=com.atlassian.jira.plug...
]
Andreas Wuest updated JBWS-2820:
--------------------------------
Attachment: InvokerEJB3Test.java
Testcase for the patch. Notice that i had to change the visibility of the handleException
method
from private to protected so i could write a testcase. if you do not need the testcase
(because i could
not find any testcases in the project), just revert the change of visibility.
this patch should fix the problem. however i could not test it in the integration
environment, because
i could not create a new distribution from the sources :-(
NullPointer Exception in Metro Stack when user has insufficent
permissions to call a webservice method
------------------------------------------------------------------------------------------------------
Key: JBWS-2820
URL:
https://jira.jboss.org/jira/browse/JBWS-2820
Project: JBoss Web Services
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: jbossws-metro
Affects Versions: jbossws-metro-3.1.1
Environment: Windows Vista
JBoss 4.2.3.GA
JBossWS Metro 3.1.1
Reporter: Andreas Wuest
Fix For: jbossws-metro-3.3
Attachments: InvokerEJB3.java.patch, InvokerEJB3Test.java
Hello,
we have a webservice that is protected via a custom LoginModule. To protect the
individual Methods
we use the annotation @RolesAllowed. Now if we call a webservice for which a user has
insufficient
privileges we get the following exception
18:07:42,608 ERROR [http-127.0.0.1-9080-1] [RoleBasedAuthorizationInterceptor]
Insufficient permissions, principal=blubb, requiredRoles=[someRole], principalRol
es=[nochwas, rechnungsempfaengerLesen]
07:54:33,863 ERROR [http-127.0.0.1-9080-1] [EndpointMethodHandler]
java.lang.NullPointerException
at org.jboss.wsf.stack.metro.InvokerEJB3.handleException(InvokerEJB3.java:127)
at org.jboss.wsf.stack.metro.InvokerEJB3.invoke(InvokerEJB3.java:106)
at com.sun.xml.ws.server.InvokerTube$2.invoke(InvokerTube.java:146)
at
com.sun.xml.ws.server.sei.EndpointMethodHandler.invoke(EndpointMethodHandler.java:257)
at
com.sun.xml.ws.server.sei.SEIInvokerTube.processRequest(SEIInvokerTube.java:93)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:598)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:557)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:542)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:439)
at
com.sun.xml.ws.api.pipe.helper.AbstractTubeImpl.process(AbstractTubeImpl.java:112)
at org.jboss.wsf.stack.metro.log.DumpPipe.process(DumpPipe.java:94)
at
com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:115)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:598)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:557)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:542)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:439)
at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:243)
at
com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:444)
at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:244)
at
com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(ServletAdapter.java:135)
at
org.jboss.wsf.stack.metro.RequestHandlerImpl.doPost(RequestHandlerImpl.java:225)
at
org.jboss.wsf.stack.metro.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:82)
at
org.jboss.wsf.common.servlet.AbstractEndpointServlet.service(AbstractEndpointServlet.java:85)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at
org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
at
org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
at java.lang.Thread.run(Unknown Source)
I have debugged the problem and the problems is the following:
The problem is the following method in the InvokerEJB3 class of the jbossws metro stack:
private void handleException(Exception ex)
throws InvocationTargetException, IllegalAccessException
{
//Unwrap EJBException
if (ex instanceof EJBException)
ex = ((EJBException)ex).getCausedByException();
.....
}
The ex variable that gets passed into the method is a
javax.ejb.EJBAccessException (with the message "Authorization failure").
The problem is that the expression
> ((EJBException)ex).getCausedByException()
returns null for the exception, becuase it does not have a causeException!
later in the method the call
> if (ex.getClass().isAnnotationPresent(WebFault.class))
results in a nullpointer exception, because ex is null (because there was no root
cause).
At the moment the method always expects a cause Exception if the
exception passed to the method is a EJBException!
cheers,
andy
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira