Uploaded image for project: 'JBoss Web Services'
  1. JBoss Web Services
  2. JBWS-2820

NPE when user has insufficent permissions to call a webservice method

XMLWordPrintable

    • Low

      Hello,

      we have a webservice that is protected via a custom LoginModule. To protect the individual Methods
      we use the annotation @RolesAllowed. Now if we call a webservice for which a user has insufficient
      privileges we get the following exception

      18:07:42,608 ERROR [http-127.0.0.1-9080-1] [RoleBasedAuthorizationInterceptor] Insufficient permissions, principal=blubb, requiredRoles=[someRole], principalRol
      es=[nochwas, rechnungsempfaengerLesen]
      07:54:33,863 ERROR [http-127.0.0.1-9080-1] [EndpointMethodHandler]
      java.lang.NullPointerException
      at org.jboss.wsf.stack.metro.InvokerEJB3.handleException(InvokerEJB3.java:127)
      at org.jboss.wsf.stack.metro.InvokerEJB3.invoke(InvokerEJB3.java:106)
      at com.sun.xml.ws.server.InvokerTube$2.invoke(InvokerTube.java:146)
      at com.sun.xml.ws.server.sei.EndpointMethodHandler.invoke(EndpointMethodHandler.java:257)
      at com.sun.xml.ws.server.sei.SEIInvokerTube.processRequest(SEIInvokerTube.java:93)
      at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:598)
      at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:557)
      at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:542)
      at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:439)
      at com.sun.xml.ws.api.pipe.helper.AbstractTubeImpl.process(AbstractTubeImpl.java:112)
      at org.jboss.wsf.stack.metro.log.DumpPipe.process(DumpPipe.java:94)
      at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:115)
      at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:598)
      at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:557)
      at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:542)
      at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:439)
      at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:243)
      at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:444)
      at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:244)
      at com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(ServletAdapter.java:135)
      at org.jboss.wsf.stack.metro.RequestHandlerImpl.doPost(RequestHandlerImpl.java:225)
      at org.jboss.wsf.stack.metro.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:82)
      at org.jboss.wsf.common.servlet.AbstractEndpointServlet.service(AbstractEndpointServlet.java:85)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
      at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
      at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
      at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
      at java.lang.Thread.run(Unknown Source)

      I have debugged the problem and the problems is the following:

      The problem is the following method in the InvokerEJB3 class of the jbossws metro stack:

      private void handleException(Exception ex)
      throws InvocationTargetException, IllegalAccessException

      { //Unwrap EJBException if (ex instanceof EJBException) ex = ((EJBException)ex).getCausedByException(); ..... }

      The ex variable that gets passed into the method is a
      javax.ejb.EJBAccessException (with the message "Authorization failure").
      The problem is that the expression
      > ((EJBException)ex).getCausedByException()
      returns null for the exception, becuase it does not have a causeException!
      later in the method the call
      > if (ex.getClass().isAnnotationPresent(WebFault.class))
      results in a nullpointer exception, because ex is null (because there was no root cause).
      At the moment the method always expects a cause Exception if the
      exception passed to the method is a EJBException!

      cheers,
      andy

              rhn-engineering-ema Jim Ma
              kickmetoandy KickMeToAndy (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved: