You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Michael Kleinhenz <m....@tarent.de> on 2010/08/10 15:17:08 UTC
NPE when no token delivered with SecurityPolicy?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I have a CXF SOAP service configured to require a SAML token. If I try
to access that service without a token, the server throws a NPE:
java.lang.NullPointerException
at
org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenInInterceptor.handleMessage(IssuedTokenInterceptorProvider.java:198)
The corresponding code line in IssuedTokenInterceptorProvider reads like
this:
Vector results = (Vector)message.get(WSHandlerConstants.RECV_RESULTS);
for (int i = 0; i < results.size(); i++) {
WSHandlerResult rResult = (WSHandlerResult) results.get(i);
[..]
Shouldn't this check for results being null like this:
Vector results = null;
if ((results = (Vector)message
.get(WSHandlerConstants.RECV_RESULTS)) == null) {
throw new RuntimeException("No security results!");
}
for (int i = 0; i < results.size(); i++) {
WSHandlerResult rResult = (WSHandlerResult) results.get(i);
(maybe with something else than a RTE obviously)?
Maybe I have done something wrong in the server configuration, but the
execution never reaches my security callback to check the (even
non-existent) token but fails right at retrieving the RECV_RESULTS key
from the message context.
Any opinions?
Thanks,
Michael
- --
Dipl.-Technoinform Michael Kleinhenz
tarent Gesellschaft für Softwareentwicklung und IT-Beratung mbH
Geschäftsführer: Boris Esser, Elmar Geese
HRB AG Bonn 5168 - USt-ID (VAT): DE122264941
Heilsbachstraße 24, 53123 Bonn, Telefon: +49 228 52675-0
Thiemanstraße 36a, 12059 Berlin, Telefon: +49 30 5682943-30
Internet: http://www.tarent.de/ • Telefax: +49 228 52675-25
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJMYVFUAAoJEDXyhJ6Q5l/L4nAH/2tyPtpBzRUdv0ZDTXXm9qEb
AjswlLV/M9OGYk791xe8iWjtxNeWpZ5NIp2YKCepIfs40QLBqlVuKz/dGn+htiSD
WGFrGYs894Mxu0XtORYErWo0g9mowLeHhHiyuCDx6fADxn3lNnT/mjMAe6tt/uPx
FF9ectTeu/Bb1FJUtCJSZhbialRnk7R0gCUW6QhhHQTKtSXqmRb1z2y/SH4A7cuk
KEq/KKHofSSTN1b+WPS2qfRJgtAzjXpKhmV9qiozQRAVxXYcmbekeuoYhRRuv5/D
441sVvvnhE9dj1yGwZ9RnVPK6GlvKC+FUwkpYaUvBEwCoCm/6TH/D6VBJfXYQ1U=
=QVqE
-----END PGP SIGNATURE-----
Re: NPE when no token delivered with SecurityPolicy?
Posted by Michael Kleinhenz <m....@tarent.de>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
just an addition: the CXF version is 2.2.9.
- -- Michael
Am 10.08.2010 15:17, schrieb Michael Kleinhenz:
> Hi,
>
> I have a CXF SOAP service configured to require a SAML token. If I try
> to access that service without a token, the server throws a NPE:
>
> java.lang.NullPointerException
> at
> org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenInInterceptor.handleMessage(IssuedTokenInterceptorProvider.java:198)
>
> The corresponding code line in IssuedTokenInterceptorProvider reads like
> this:
>
> Vector results = (Vector)message.get(WSHandlerConstants.RECV_RESULTS);
> for (int i = 0; i < results.size(); i++) {
> WSHandlerResult rResult = (WSHandlerResult) results.get(i);
> [..]
>
> Shouldn't this check for results being null like this:
>
> Vector results = null;
> if ((results = (Vector)message
> .get(WSHandlerConstants.RECV_RESULTS)) == null) {
> throw new RuntimeException("No security results!");
> }
> for (int i = 0; i < results.size(); i++) {
> WSHandlerResult rResult = (WSHandlerResult) results.get(i);
>
> (maybe with something else than a RTE obviously)?
>
> Maybe I have done something wrong in the server configuration, but the
> execution never reaches my security callback to check the (even
> non-existent) token but fails right at retrieving the RECV_RESULTS key
> from the message context.
>
> Any opinions?
>
> Thanks,
> Michael
>
>
- --
Dipl.-Technoinform Michael Kleinhenz
tarent Gesellschaft für Softwareentwicklung und IT-Beratung mbH
Geschäftsführer: Boris Esser, Elmar Geese
HRB AG Bonn 5168 - USt-ID (VAT): DE122264941
Heilsbachstraße 24, 53123 Bonn, Telefon: +49 228 52675-0
Thiemanstraße 36a, 12059 Berlin, Telefon: +49 30 5682943-30
Internet: http://www.tarent.de/ • Telefax: +49 228 52675-25
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJMYVGPAAoJEDXyhJ6Q5l/LtsoH/3jOxGLxXbGugYrCISgHX0fI
7pqN8J8LPQ0Po3rpYI/5tGKaKjEnx3NIRuQlRV4kdTXsClXvxSq3m1DtFOcyRZxS
HE9mMj19QoTBRvEtmxzbmscQkWsU4epAiXorCd8F3o+7xcGnmOUE/puiZDLl9Ofw
01HbD+a9cM+o2UERWksHrrrf+mUr+bAXaSC1JLBtnmscx6pntcGfcsjZ18eUbOJd
ND3WykQAGbxdelGC/uF92PJEw8dIBUTSuen0kUz11tULYjQmOPdton+kPv7uduBg
MEIXvtcD7vUo+fOLucr3KuUcQkJ242xhpoWyRfrluZK3gPXYOvZQ1dDRa8ob4Ls=
=tHGy
-----END PGP SIGNATURE-----
Re: NPE when no token delivered with SecurityPolicy?
Posted by Daniel Kulp <dk...@apache.org>.
Actually, I think just sticking a null check in there works fine. No need to
throw an exception. With the check, the policy would not be asserted and
when the policy is checked later, an exception would be thrown.
Just committed to trunk.
Dan
On Tuesday 10 August 2010 9:17:08 am Michael Kleinhenz wrote:
> Hi,
>
> I have a CXF SOAP service configured to require a SAML token. If I try
> to access that service without a token, the server throws a NPE:
>
> java.lang.NullPointerException
> at
> org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvid
> er$IssuedTokenInInterceptor.handleMessage(IssuedTokenInterceptorProvider.ja
> va:198)
>
> The corresponding code line in IssuedTokenInterceptorProvider reads like
> this:
>
> Vector results = (Vector)message.get(WSHandlerConstants.RECV_RESULTS);
> for (int i = 0; i < results.size(); i++) {
> WSHandlerResult rResult = (WSHandlerResult) results.get(i);
> [..]
>
> Shouldn't this check for results being null like this:
>
> Vector results = null;
> if ((results = (Vector)message
> .get(WSHandlerConstants.RECV_RESULTS)) == null) {
> throw new RuntimeException("No security results!");
> }
> for (int i = 0; i < results.size(); i++) {
> WSHandlerResult rResult = (WSHandlerResult) results.get(i);
>
> (maybe with something else than a RTE obviously)?
>
> Maybe I have done something wrong in the server configuration, but the
> execution never reaches my security callback to check the (even
> non-existent) token but fails right at retrieving the RECV_RESULTS key
> from the message context.
>
> Any opinions?
>
> Thanks,
> Michael
--
Daniel Kulp
dkulp@apache.org
http://dankulp.com/blog