[jboss-jira] [JBoss JIRA] (SECURITY-642) UsernamePasswordLM causes NPE in SecurityVaultUtil when user provides wrong username

Anil Saldhana (JIRA) jira-events at lists.jboss.org
Fri Jan 20 17:58:18 EST 2012 

    [ https://issues.jboss.org/browse/SECURITY-642?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12660921#comment-12660921 ] 

Anil Saldhana commented on SECURITY-642:
----------------------------------------

I have fixed the NPE.  Use PicketBox 4.0.6.Beta3
                
> UsernamePasswordLM causes NPE in SecurityVaultUtil when user provides wrong username
> ------------------------------------------------------------------------------------
>
>                 Key: SECURITY-642
>                 URL: https://issues.jboss.org/browse/SECURITY-642
>             Project: PicketBox (JBoss Security and Identity Management)
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>    Affects Versions: PicketBox_v4_0_6.Beta2
>            Reporter: Stefan Guilhen
>            Assignee: Anil Saldhana
>             Fix For: PicketBox_v4_0_6.Beta3
>
>
> Application is protected by a security domain that uses the UsersRolesLoginModule. If the user attempts a login with the right username and wrong pw, the login fails and the message in the AS7 logs display the correct reason for auth failure. However, if the user supplies an username that has not been added to the users.properties file, the login fails and the AS7 logs display an NPE instead of the correct reason message:
> 15:33:37,622 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-1) Login failure: javax.security.auth.login.LoginException: java.lang.NullPointerException
> 	at org.jboss.security.vault.SecurityVaultUtil.isVaultFormat(SecurityVaultUtil.java:59)
> 	at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:250)
> 	at org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLoginModule.java:155)
> The relevant code in UsernamePasswordLoginModule is this:
>          String expectedPassword = getUsersPassword();
>          //Check if the password is vaultified
>          if(SecurityVaultUtil.isVaultFormat(expectedPassword))
>          {
>         	 try 
>         	 {
>         		 expectedPassword = SecurityVaultUtil.getValueAsString(expectedPassword);
>         	 } 
>         	 catch (SecurityVaultException e) 
>         	 {
>         		 LoginException le = new LoginException(ErrorCodes.PROCESSING_FAILED + "Unable to get the password value from vault");
>         		 le.initCause(e);
>         		 throw le;
>         	 }
>          }
> The problem occurs because getUsersPassword() returns null since the properties file doesn't have a property that matches the supplied username. We need to verify if the expectedPassword is null before calling the vault util or change the vault util method to check for a null param.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list