[jboss-jira] [JBoss JIRA] (WFLY-3518) JASPIAuthenticationMechanism#authenticate doesn't check if AuthenticatedSession is null

Kabir Khan (JIRA) issues at jboss.org
Wed Dec 6 11:21:24 EST 2017 

     [ https://issues.jboss.org/browse/WFLY-3518?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kabir Khan closed WFLY-3518.
----------------------------


> JASPIAuthenticationMechanism#authenticate doesn't check if AuthenticatedSession is null
> ---------------------------------------------------------------------------------------
>
>                 Key: WFLY-3518
>                 URL: https://issues.jboss.org/browse/WFLY-3518
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 8.1.0.Final
>            Reporter: arjan tijms
>            Assignee: Stuart Douglas
>              Labels: jaspic
>             Fix For: 9.0.0.CR2, 10.0.0.Alpha1
>
>
> In {{org.wildfly.extension.undertow.security.jaspi.JASPIAuthenticationMechanism#authenticate}} the variable {{authSession}} in the fragment below is frequently null, leading to null pointer exceptions:
> {code}
>   if (sessionManager != null) {
>             AuthenticatedSessionManager.AuthenticatedSession authSession = sessionManager.lookupSession(exchange);
>             cachedAccount = authSession.getAccount(); // NPE HAPPENS HERE
>             // if there is a cached account we set it in the security context so that the principal is available to
>             // SAM modules via request.getUserPrincipal().
>             if (cachedAccount !=  null) {
>                 jaspicSecurityContext.setCachedAuthenticatedAccount(cachedAccount);
>             }
>         }
> {code}
> At another place in Undertow where {{AuthenticatedSession}} is used, there's an extra null check (See {{io.undertow.security.impl.CachedAuthenticatedSessionMechanism#runCached}}).
> I patched the code locally to add an extra null check:
> {code}
>         if (sessionManager != null) {
>             AuthenticatedSessionManager.AuthenticatedSession authSession = sessionManager.lookupSession(exchange);
>             cachedAccount = authSession == null? null : authSession.getAccount();
>             // if there is a cached account we set it in the security context so that the principal is available to
>             // SAM modules via request.getUserPrincipal().
>             if (cachedAccount !=  null) {
>                 jaspicSecurityContext.setCachedAuthenticatedAccount(cachedAccount);
>             }
>         }
> {code}
> After a short amount of testing everything seems to be okay with that extra check.



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list