Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-6727

Missing null check in SecurityContextImpl

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Minor Minor
    • 7.1.0.DR10
    • 7.1.0.DR7
    • Undertow
    • None

      There is missing null check in io.undertow.security.impl.SecurityContextImpl.ChallengeSender.transition() method. Method mechanism.sendChallenge can return null (interface AuthenticationMechanism can have various implementations) which leads to NPE for calling some method on its result without null check. See [1].

      There should be null checker in SecurityContextImpl.ChallengeSender.transition() method or documentation of io.undertow.security.api.AuthenticationMechanism.sendChallenge should explicitly say that this method must not return null.

      [1] https://github.com/undertow-io/undertow/blob/43ff6d15b2054ac659d469165d508b7ddb954ff3/core/src/main/java/io/undertow/security/impl/SecurityContextImpl.java#L298

              dtikhomi@redhat.com Dmitrii Tikhomirov
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: