-
Bug
-
Resolution: Done
-
Major
-
None
-
None
Coverity static-analysis scan found possible call on null object in SingleSignOnServerMechanismFactory.evaluateRequst() method:
getTargetMechanism(mechanismName, singleSignOnSession).evaluateRequest(createHttpServerRequest(request, singleSignOnSession));
The problem is the getTargetMechanism call, which just calls an HttpServerAuthenticationMechanismFactory.createAuthenticationMechanism() method.
The createAuthenticationMechanism doesn't declare it could return null, nevertheless, the implementations use null as fallback (e.g. look at ServerMechanismFactoryImpl.createAuthenticationMechanism())
Suggested improvement
I see 2 possible solutions:
1. Declare in javadoc of HttpServerAuthenticationMechanismFactory.createAuthenticationMechanism() method, that it can return null and add the null-check into the SingleSignOnServerMechanismFactory.evaluateRequst() method
2. or throw an exception from HttpServerAuthenticationMechanismFactory.createAuthenticationMechanism() implementations instead of returning null
- clones
-
JBEAP-7070 Coverity static analysis: Dereference null return value in SingleSignOnServerMechanismFactory (Elytron)
- Closed