[jboss-jira] [JBoss JIRA] (SECURITY-642) UsernamePasswordLM causes NPE in SecurityVaultUtil when user provides wrong username

Stefan Guilhen (JIRA) jira-events at lists.jboss.org
Wed Jan 18 12:58:18 EST 2012 

Stefan Guilhen created SECURITY-642:
---------------------------------------

             Summary: UsernamePasswordLM causes NPE in SecurityVaultUtil when user provides wrong username
                 Key: SECURITY-642
                 URL: https://issues.jboss.org/browse/SECURITY-642
             Project: PicketBox (JBoss Security and Identity Management)
          Issue Type: Bug
      Security Level: Public (Everyone can see)
    Affects Versions: PicketBox_v4_0_6.Beta2
            Reporter: Stefan Guilhen
            Assignee: Anil Saldhana
             Fix For: PicketBox_v4_0_6


Application is protected by a security domain that uses the UsersRolesLoginModule. If the user attempts a login with the right username and wrong pw, the login fails and the message in the AS7 logs display the correct reason for auth failure. However, if the user supplies an username that has not been added to the users.properties file, the login fails and the AS7 logs display an NPE instead of the correct reason message:

15:33:37,622 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) Login failure: javax.security.auth.login.LoginException: java.lang.NullPointerException
	at org.jboss.security.vault.SecurityVaultUtil.isVaultFormat(SecurityVaultUtil.java:59)
	at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:250)
	at org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLoginModule.java:155)


The relevant code in UsernamePasswordLoginModule is this:

         String expectedPassword = getUsersPassword();
         //Check if the password is vaultified
         if(SecurityVaultUtil.isVaultFormat(expectedPassword))
         {
        	 try 
        	 {
        		 expectedPassword = SecurityVaultUtil.getValueAsString(expectedPassword);
        	 } 
        	 catch (SecurityVaultException e) 
        	 {
        		 LoginException le = new LoginException(ErrorCodes.PROCESSING_FAILED + "Unable to get the password value from vault");
        		 le.initCause(e);
        		 throw le;
        	 }
         }

The problem occurs because getUsersPassword() returns null since the properties file doesn't have a property that matches the supplied username. We need to verify if the expectedPassword is null before calling the vault util or change the vault util method to check for a null param.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list