[jboss-jira] [JBoss JIRA] (ELY-738) Coverity static analysis: Dereference null return value in SingleSignOnServerMechanismFactory (Elytron)
Josef Cacek (JIRA)
issues at jboss.org
Fri Nov 11 07:19:01 EST 2016
[ https://issues.jboss.org/browse/ELY-738?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Josef Cacek updated ELY-738:
----------------------------
Description:
Coverity static-analysis scan found possible call on null object in {{SingleSignOnServerMechanismFactory.evaluateRequst()}} method:
{code}
getTargetMechanism(mechanismName, singleSignOnSession).evaluateRequest(createHttpServerRequest(request, singleSignOnSession));
{code}
https://scan7.coverity.com/reports.htm#v16159/p11778/fileInstanceId=5760259&defectInstanceId=1541379&mergedDefectId=1369284
The problem is the {{getTargetMechanism}} call, which just calls an {{HttpServerAuthenticationMechanismFactory.createAuthenticationMechanism()}} method.
The {{createAuthenticationMechanism}} doesn't declare it could return null, nevertheless, the implementations use null as fallback (e.g. look at {{ServerMechanismFactoryImpl.createAuthenticationMechanism()}})
*Suggested improvement*
I see 2 possible solutions:
1. Declare in javadoc of {{HttpServerAuthenticationMechanismFactory.createAuthenticationMechanism()}} method, that it can return null and add the null-check into the {{SingleSignOnServerMechanismFactory.evaluateRequst()}} method
2. or throw an exception from {{HttpServerAuthenticationMechanismFactory.createAuthenticationMechanism()}} implementations instead of returning null
was:
Coverity static-analysis scan found possible call on null object in {{SingleSignOnServerMechanismFactory.evaluateRequst()}} method:
{code}
getTargetMechanism(mechanismName, singleSignOnSession).evaluateRequest(createHttpServerRequest(request, singleSignOnSession));
{code}
The problem is the {{getTargetMechanism}} call, which just calls an {{HttpServerAuthenticationMechanismFactory.createAuthenticationMechanism()}} method.
The {{createAuthenticationMechanism}} doesn't declare it could return null, nevertheless, the implementations use null as fallback (e.g. look at {{ServerMechanismFactoryImpl.createAuthenticationMechanism()}})
*Suggested improvement*
I see 2 possible solutions:
1. Declare in javadoc of {{HttpServerAuthenticationMechanismFactory.createAuthenticationMechanism()}} method, that it can return null and add the null-check into the {{SingleSignOnServerMechanismFactory.evaluateRequst()}} method
2. or throw an exception from {{HttpServerAuthenticationMechanismFactory.createAuthenticationMechanism()}} implementations instead of returning null
> Coverity static analysis: Dereference null return value in SingleSignOnServerMechanismFactory (Elytron)
> -------------------------------------------------------------------------------------------------------
>
> Key: ELY-738
> URL: https://issues.jboss.org/browse/ELY-738
> Project: WildFly Elytron
> Issue Type: Bug
> Reporter: Josef Cacek
> Assignee: Darran Lofthouse
> Labels: static_analysis
>
> Coverity static-analysis scan found possible call on null object in {{SingleSignOnServerMechanismFactory.evaluateRequst()}} method:
> {code}
> getTargetMechanism(mechanismName, singleSignOnSession).evaluateRequest(createHttpServerRequest(request, singleSignOnSession));
> {code}
> https://scan7.coverity.com/reports.htm#v16159/p11778/fileInstanceId=5760259&defectInstanceId=1541379&mergedDefectId=1369284
> The problem is the {{getTargetMechanism}} call, which just calls an {{HttpServerAuthenticationMechanismFactory.createAuthenticationMechanism()}} method.
> The {{createAuthenticationMechanism}} doesn't declare it could return null, nevertheless, the implementations use null as fallback (e.g. look at {{ServerMechanismFactoryImpl.createAuthenticationMechanism()}})
> *Suggested improvement*
> I see 2 possible solutions:
> 1. Declare in javadoc of {{HttpServerAuthenticationMechanismFactory.createAuthenticationMechanism()}} method, that it can return null and add the null-check into the {{SingleSignOnServerMechanismFactory.evaluateRequst()}} method
> 2. or throw an exception from {{HttpServerAuthenticationMechanismFactory.createAuthenticationMechanism()}} implementations instead of returning null
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list