[jboss-jira] [JBoss JIRA] (ELY-738) Coverity static analysis: Dereference null return value in SingleSignOnServerMechanismFactory (Elytron)

Ilia Vassilev (JIRA) issues at jboss.org
Fri Feb 17 13:39:00 EST 2017 

     [ https://issues.jboss.org/browse/ELY-738?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ilia Vassilev updated ELY-738:
------------------------------
    Fix Version/s: 1.1.0.Beta15


> Coverity static analysis: Dereference null return value in SingleSignOnServerMechanismFactory (Elytron)
> -------------------------------------------------------------------------------------------------------
>
>                 Key: ELY-738
>                 URL: https://issues.jboss.org/browse/ELY-738
>             Project: WildFly Elytron
>          Issue Type: Bug
>            Reporter: Josef Cacek
>            Assignee: Ilia Vassilev
>              Labels: static_analysis
>             Fix For: 1.1.0.Beta15
>
>
> Coverity static-analysis scan found possible call on null object in {{SingleSignOnServerMechanismFactory.evaluateRequst()}} method:
> {code}
> getTargetMechanism(mechanismName, singleSignOnSession).evaluateRequest(createHttpServerRequest(request, singleSignOnSession));
> {code}
> https://scan7.coverity.com/reports.htm#v16159/p11778/fileInstanceId=5760259&defectInstanceId=1541379&mergedDefectId=1369284
> The problem is the {{getTargetMechanism}} call, which just calls an {{HttpServerAuthenticationMechanismFactory.createAuthenticationMechanism()}} method.
> The {{createAuthenticationMechanism}} doesn't declare it could return null, nevertheless, the implementations use null as fallback (e.g. look at {{ServerMechanismFactoryImpl.createAuthenticationMechanism()}})
> *Suggested improvement*
> I see 2 possible solutions:
> 1. Declare in javadoc of {{HttpServerAuthenticationMechanismFactory.createAuthenticationMechanism()}} method, that it can return null and add the null-check into the {{SingleSignOnServerMechanismFactory.evaluateRequst()}} method
> 2. or throw an exception from {{HttpServerAuthenticationMechanismFactory.createAuthenticationMechanism()}} implementations instead of returning null



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list