You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2009/05/06 12:25:30 UTC

[jira] Commented: (WSS-185) NullPointerException on empty UsernameToken

    [ https://issues.apache.org/jira/browse/WSS-185?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12706368#action_12706368 ] 

Colm O hEigeartaigh commented on WSS-185:
-----------------------------------------


I'll fix the WSUsernameTokenPrincipal on trunk to take a null username. However, to guard against null usernames/passwords, your callback handler implementation should throw an exception in the USERNAME_PASSWORD_UNKNOWN case for a null username/password.

> NullPointerException on empty UsernameToken
> -------------------------------------------
>
>                 Key: WSS-185
>                 URL: https://issues.apache.org/jira/browse/WSS-185
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 1.5.7
>         Environment: JDK 1.5
>            Reporter: Alex Suzuki
>            Assignee: Ruchith Udayanga Fernando
>
> An empty UsernameToken causes a NullPointerException in WSS4J. The NullPointerException is explicitly thrown,
> not the result of a programming error.
> The only way for client code to handle this gracefully seems to be to catch the NullPointerException and match the
> string 'illegal null input'. Perhaps returning an empty principal or throwing an IllegalArgumentException would be
> more suitable.
> Stack trace:
> java.lang.NullPointerException: illegal null input
> 	at org.apache.ws.security.WSUsernameTokenPrincipal.<init>(WSUsernameTokenPrincipal.java:67)
> 	at org.apache.ws.security.WSSecurityEngine.handleUsernameToken(WSSecurityEngine.java:893)
> 	at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:379)
> 	at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:259)
> 	at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:212)
>        ....
> Example fragment:
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
>    <soapenv:Header>
>       <wsse:Security soapenv:actor="http://schemas.xmlsoap.org/soap/actor/next" soapenv:mustUnderstand="0" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
>          <wsse:UsernameToken>
>             <wsse:Username></wsse:Username>
>             <wsse:Password></wsse:Password>
>          </wsse:UsernameToken>
>       </wsse:Security>
>    </soapenv:Header>
>    <soapenv:Body>
>         <!-- some body -->
>    </soapenv:Body>
> </soapenv:Envelope>

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org