You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "angela (JIRA)" <ji...@apache.org> on 2019/04/11 16:42:00 UTC
[jira] [Resolved] (OAK-8229) LoginModuleImpl.commit will end in NPE
if credentials are null
[ https://issues.apache.org/jira/browse/OAK-8229?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
angela resolved OAK-8229.
-------------------------
Resolution: Fixed
Fix Version/s: 1.14.0
Committed revision 1857352.
> LoginModuleImpl.commit will end in NPE if credentials are null
> --------------------------------------------------------------
>
> Key: OAK-8229
> URL: https://issues.apache.org/jira/browse/OAK-8229
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: core, security
> Reporter: angela
> Assignee: angela
> Priority: Major
> Fix For: 1.14.0
>
>
> [~stillalex], i spotted an NPE with {{LoginModuleImpl.commit}} under the following circumstances:
> - no {{Credentials}} have been extracted during the login() (see {{getCredentials}}
> - if the {{Subject}} is not read-only commit() will add the null credentials objects to the public credentials set
> - the subsequent attempt to also add the {{AuthInfo}} will result in a NPE.
> the fix should be fairly easy, avoiding pushing null credentials to the subject
> {code}
> if (!subject.isReadOnly()) {
> Set<Principal> principals = subject.getPrincipals();
> if (principal != null) {
> principals.addAll(getPrincipals(principal));
> } else if (userId != null) {
> principals.addAll(getPrincipals(userId));
> }
> // FIX: extra check for null
> if (credentials != null) {
> subject.getPublicCredentials().add(credentials);
> }
> setAuthInfo(createAuthInfo(principals), subject);
> } else {
> log.debug("Could not add information to read only subject {}", subject);
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)