Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-2144

null 'error page' can cause NPE from web component

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • None
    • Hide

      I was tinkering with quickstart in order to reproduce https://issues.redhat.com/browse/UNDERTOW-1617

      Basically:

      • Connect to the running wildfly instance with jboss-cli.sh and follow the steps here to configure authentication on the server . In step 5, instead of configuring BASIC mechanism, configure FORM mechanism. In step 6, change the name of the application-security-domain from exampleApplicationDomain to application-security
      • Modify code of servlet-security quickstart according to a patch included in this issue
      • Compile and deploy a quickstart on the running server: mvn clean install wildfly:deploy
      • Access http://localhost:8080/servlet-security/ with browser
      • Attempt to log in with credentials of non existent user
      • You should see NullPointerException
      Show
      I was tinkering with quickstart in order to reproduce https://issues.redhat.com/browse/UNDERTOW-1617 Basically: Connect to the running wildfly instance with jboss-cli.sh and follow the steps here to configure authentication on the server . In step 5, instead of configuring BASIC mechanism, configure FORM mechanism. In step 6, change the name of the application-security-domain from exampleApplicationDomain to application-security Modify code of servlet-security quickstart according to a patch included in this issue Compile and deploy a quickstart on the running server: mvn clean install wildfly:deploy Access http://localhost:8080/servlet-security/ with browser Attempt to log in with credentials of non existent user You should see NullPointerException
    • Undefined

      When application uses FORM authentication and does not have error page configured, it can result in the following exception:

      java.lang.NullPointerException
      at io.undertow.core@2.2.8.Final//io.undertow.server.handlers.resource.CachingResourceManager.getResource(CachingResourceManager.java:82)
      at io.undertow.core@2.2.8.Final//io.undertow.server.handlers.resource.CachingResourceManager.getResource(CachingResourceManager.java:32)
      at io.undertow.servlet@2.2.8.Final//io.undertow.servlet.spec.ServletContextImpl.getResourceAsStream(ServletContextImpl.java:318)
      at org.wildfly.security.elytron-web.undertow-server-servlet@1.9.1.Final//org.wildfly.elytron.web.undertow.server.servlet.ElytronHttpServletExchange$1.getResource(ElytronHttpServletExchange.java:203)
      at org.wildfly.security.elytron-base@1.16.0.CR1//org.wildfly.security.http.form.FormAuthenticationMechanism.sendPage(FormAuthenticationMechanism.java:365)
      at org.wildfly.security.elytron-base@1.16.0.CR1//org.wildfly.security.http.form.FormAuthenticationMechanism.lambda$error$1(FormAuthenticationMechanism.java:191)
      at org.wildfly.security.elytron-base@1.16.0.CR1//org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:357)
      at org.wildfly.security.elytron-base@1.16.0.CR1//org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$800(HttpAuthenticator.java:301)
      at org.wildfly.security.elytron-base@1.16.0.CR1//org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:94)
      at org.wildfly.security.elytron-web.undertow-server@1.9.1.Final//org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:107)
      at org.wildfly.security.elytron-web.undertow-server-servlet@1.9.1.Final//org.wildfly.elytron.web.undertow.server.servlet.ServletSecurityContextImpl.authenticate(ServletSecurityContextImpl.java:115)
      at io.undertow.servlet@2.2.8.Final//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
      at io.undertow.core@2.2.8.Final//io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
      at io.undertow.core@2.2.8.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      at io.undertow.core@2.2.8.Final//io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
      at io.undertow.core@2.2.8.Final//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
      at io.undertow.servlet@2.2.8.Final//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
      at io.undertow.servlet@2.2.8.Final//io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
      at io.undertow.core@2.2.8.Final//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
      at org.wildfly.security.elytron-web.undertow-server-servlet@1.9.1.Final//org.wildfly.elytron.web.undertow.server.servlet.CleanUpHandler.handleRequest(CleanUpHandler.java:38)
      at io.undertow.core@2.2.8.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      at org.wildfly.extension.undertow@24.0.0.Final-SNAPSHOT//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
      at io.undertow.core@2.2.8.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      at org.wildfly.extension.undertow@24.0.0.Final-SNAPSHOT//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
      at io.undertow.servlet@2.2.8.Final//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)
      at io.undertow.core@2.2.8.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      at io.undertow.servlet@2.2.8.Final//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269)
      at io.undertow.servlet@2.2.8.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78)
      at io.undertow.servlet@2.2.8.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133)
      at io.undertow.servlet@2.2.8.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130)
      at io.undertow.servlet@2.2.8.Final//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
      at io.undertow.servlet@2.2.8.Final//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
      at org.wildfly.extension.undertow@24.0.0.Final-SNAPSHOT//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1535)
      at org.wildfly.extension.undertow@24.0.0.Final-SNAPSHOT//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1535)
      at org.wildfly.extension.undertow@24.0.0.Final-SNAPSHOT//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1535)
      at org.wildfly.extension.undertow@24.0.0.Final-SNAPSHOT//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1535)
      at io.undertow.servlet@2.2.8.Final//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249)
      at io.undertow.servlet@2.2.8.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78)
      at io.undertow.servlet@2.2.8.Final//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99)
      at io.undertow.core@2.2.8.Final//io.undertow.server.Connectors.executeRootHandler(Connectors.java:387)
      at io.undertow.core@2.2.8.Final//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:841)
      at org.jboss.threads@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
      at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
      at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
      at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
      at org.jboss.xnio@3.8.4.Final//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1280)
      at java.base/java.lang.Thread.run(Thread.java:834)

      We should not be passing null value to Undertow. This issue is to address that.

        1. quick.patch
          8 kB

            pberan@redhat.com Petr Beran
            rhn-cservice-bbaranow Bartosz Baranowski
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: