Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-5226

[GSS](7.1) JASPICSecureResponseHandler.handleRequest throws NullPointerException when redirecting for CONFIDENTIAL transport guarantee

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 7.1.0.DR1
    • 7.0.0.GA
    • Undertow
    • None
    • Needs More Info
    • Hide

      -Launch with attached standalone.xml
      -Deploy an app with a transport-guarantee

      <web-app>
          <security-constraint>
              <display-name>SecureConstraint</display-name>
              <web-resource-collection>
                    <web-resource-name>SecureResources</web-resource-name>
                    <url-pattern>/*</url-pattern>
              </web-resource-collection>
              <user-data-constraint>
                    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
              </user-data-constraint>
          </security-constraint>
      </web-app>
      

      -Access the app and generate a redirect from that transport-guarantee

      Show
      -Launch with attached standalone.xml -Deploy an app with a transport-guarantee <web-app> <security-constraint> <display-name>SecureConstraint</display-name> <web-resource-collection> <web-resource-name>SecureResources</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> </web-app> -Access the app and generate a redirect from that transport-guarantee

      JASPICSecureResponseHandler.handleRequest can throw a NPE for a redirect from a CONFIDENTIAL transport guarantee:

      java.lang.NullPointerException
              at org.wildfly.extension.undertow.security.jaspi.JASPICSecureResponseHandler.handleRequest(JASPICSecureResponseHandler.java:35)
              at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
              at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285)
              at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264)
              at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
              at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175)
              at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
              at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:792)
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
              at java.lang.Thread.run(Thread.java:745)
      

      This occurs because io.undertow.security.handlers.AbstractConfidentialityHandler generates the redirect before any JASPICContext is placed on the request, so JASPICSecureResponseHandler sees the null.

              chaowan@redhat.com Chao Wang
              rhn-support-rbost Robert Bost
              Jan Stourac Jan Stourac
              Jan Stourac Jan Stourac
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: