Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-1085

ServletSecurityRoleHandler throws NullPointerException

    Details

    • Steps to Reproduce:
      Hide

      ServletSecurityRoleHandler throws NullPointerException if securityDisabled is true.

      Test case:

      import java.io.IOException;
      import java.io.Writer;
      
      import javax.servlet.ServletException;
      import javax.servlet.http.HttpServlet;
      import javax.servlet.http.HttpServletRequest;
      import javax.servlet.http.HttpServletResponse;
      
      import io.undertow.Undertow;
      import io.undertow.server.HttpHandler;
      import io.undertow.server.handlers.PathHandler;
      import io.undertow.servlet.api.DeploymentInfo;
      import io.undertow.servlet.api.DeploymentManager;
      import io.undertow.servlet.api.ServletContainer;
      import io.undertow.servlet.api.ServletInfo;
      
      public class DisableSecurityTest {
      
          public static class HelloWorldServlet extends HttpServlet {
      
              private static final long serialVersionUID = 1L;
      
              @Override
              protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
                  try (Writer writer = resp.getWriter()) {
                      writer.write("hi");
                  }
              }
          }
      
          public static void main(String[] args) {
              DeploymentInfo deployment = new DeploymentInfo();
              deployment.setContextPath("/");
              deployment.setDeploymentName("test");
              deployment.setClassLoader(Thread.currentThread().getContextClassLoader());
              deployment.setSecurityDisabled(true);
      
              deployment.addServlet(
                              new ServletInfo("HelloWorldServlet", HelloWorldServlet.class)
                              .addMapping("/hi"));
      
              ServletContainer container = ServletContainer.Factory.newInstance();
              DeploymentManager manager = container.addDeployment(deployment);
              HttpHandler handler;
              PathHandler root;
              try {
                  manager.deploy();
                  handler = manager.start();
                  root = new PathHandler();
                  root.addPrefixPath(deployment.getContextPath(), handler);
              } catch (ServletException e) {
                  throw new RuntimeException(e);
              }
      
              Undertow server = Undertow
                                  .builder()
                                  .addHttpListener(8080, "localhost")
                                  .setHandler(root)
                                  .build();
      
              server.start();
          }
      }
      

      Bug fix:

      public class ServletPathMatches {
          private static ServletChain servletChain(HttpHandler next, final ManagedServlet managedServlet, final String servletPath, final DeploymentInfo deploymentInfo, boolean defaultServlet) {
              ++++ if (!deploymentInfo.isSecurityDisabled()) {
                  HttpHandler servletHandler = new ServletSecurityRoleHandler(next, deploymentInfo.getAuthorizationManager());
                  servletHandler = wrapHandlers(servletHandler, managedServlet.getServletInfo().getHandlerChainWrappers());
      ++++ return new ServletChain(servletHandler, managedServlet, servletPath, defaultServlet);
              ++++ }
              return new ServletChain(next, managedServlet, servletPath, defaultServlet);
          }
      }
      

      Stack Trace:

      java.lang.NullPointerException
      	at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:55)
      	at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
      	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
      	at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
      	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
      	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
      	at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
      	at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
      	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
      	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
      	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
      	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:211)
      	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:809)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:745)
      
      Show
      ServletSecurityRoleHandler throws NullPointerException if securityDisabled is true. Test case: import java.io.IOException; import java.io.Writer; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import io.undertow.Undertow; import io.undertow.server.HttpHandler; import io.undertow.server.handlers.PathHandler; import io.undertow.servlet.api.DeploymentInfo; import io.undertow.servlet.api.DeploymentManager; import io.undertow.servlet.api.ServletContainer; import io.undertow.servlet.api.ServletInfo; public class DisableSecurityTest { public static class HelloWorldServlet extends HttpServlet { private static final long serialVersionUID = 1L; @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { try (Writer writer = resp.getWriter()) { writer.write( "hi" ); } } } public static void main( String [] args) { DeploymentInfo deployment = new DeploymentInfo(); deployment.setContextPath( "/" ); deployment.setDeploymentName( "test" ); deployment.setClassLoader( Thread .currentThread().getContextClassLoader()); deployment.setSecurityDisabled( true ); deployment.addServlet( new ServletInfo( "HelloWorldServlet" , HelloWorldServlet.class) .addMapping( "/hi" )); ServletContainer container = ServletContainer.Factory.newInstance(); DeploymentManager manager = container.addDeployment(deployment); HttpHandler handler; PathHandler root; try { manager.deploy(); handler = manager.start(); root = new PathHandler(); root.addPrefixPath(deployment.getContextPath(), handler); } catch (ServletException e) { throw new RuntimeException(e); } Undertow server = Undertow .builder() .addHttpListener(8080, "localhost" ) .setHandler(root) .build(); server.start(); } } Bug fix: public class ServletPathMatches { private static ServletChain servletChain(HttpHandler next, final ManagedServlet managedServlet, final String servletPath, final DeploymentInfo deploymentInfo, boolean defaultServlet) { ++++ if (!deploymentInfo.isSecurityDisabled()) { HttpHandler servletHandler = new ServletSecurityRoleHandler(next, deploymentInfo.getAuthorizationManager()); servletHandler = wrapHandlers(servletHandler, managedServlet.getServletInfo().getHandlerChainWrappers()); ++++ return new ServletChain(servletHandler, managedServlet, servletPath, defaultServlet); ++++ } return new ServletChain(next, managedServlet, servletPath, defaultServlet); } } Stack Trace: java.lang.NullPointerException at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:55) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:211) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:809) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang. Thread .run( Thread .java:745)

      Gliffy Diagrams

        Attachments

          Activity

            People

            • Assignee:
              swd847 Stuart Douglas
              Reporter:
              ui4j Ozhan Duz
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: