You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "David Jencks (JIRA)" <de...@geronimo.apache.org> on 2005/07/22 23:32:46 UTC

[jira] Updated: (GERONIMO-646) Servlet calling HttpServletRequest.isUserInRole(null) causes NPE using Jetty container

     [ http://issues.apache.org/jira/browse/GERONIMO-646?page=all ]

David Jencks updated GERONIMO-646:
----------------------------------

    Fix Version: 1.0-M5
    Description: 
The servlet isUserInRole call eventually gets delegated to
org.apache.geronimo.jetty.JAASJettyRealm.isUserInRole, which causes a NPE in 
javax.security.jacc.WebRoleRefPermission.hashCode().

JAASJettyRealm.isUserInRole creates a WebRoleRefPermission, passing it the 
null role that it was passed, then delegates the role check to 
java.security.AccessControlContext.checkPermission, passing it the WebRoleRefPermission.
When the web role ref permission gets checked, eventually its hashcode method is called,
which tries to compute the hash by getting the hashcode of the (null) role name,
which throws the NPE.


  was:
The servlet isUserInRole call eventually gets delegated to
org.apache.geronimo.jetty.JAASJettyRealm.isUserInRole, which causes a NPE in 
javax.security.jacc.WebRoleRefPermission.hashCode().

JAASJettyRealm.isUserInRole creates a WebRoleRefPermission, passing it the 
null role that it was passed, then delegates the role check to 
java.security.AccessControlContext.checkPermission, passing it the WebRoleRefPermission.
When the web role ref permission gets checked, eventually its hashcode method is called,
which tries to compute the hash by getting the hashcode of the (null) role name,
which throws the NPE.



We should decide about changing WebRoleRefPermission in M5.

> Servlet calling HttpServletRequest.isUserInRole(null) causes NPE using Jetty container
> --------------------------------------------------------------------------------------
>
>          Key: GERONIMO-646
>          URL: http://issues.apache.org/jira/browse/GERONIMO-646
>      Project: Geronimo
>         Type: Bug
>   Components: web
>     Versions: 1.0-M4
>  Environment: All
>     Reporter: Tom McQueeney
>     Assignee: Alan Cabrera
>     Priority: Minor
>      Fix For: 1.0-M5
>  Attachments: JAASJettyRealm-patch.txt, WebRoleRefPermission-patch.txt, WebRoleRefPermissionTest-patch.txt
>
> The servlet isUserInRole call eventually gets delegated to
> org.apache.geronimo.jetty.JAASJettyRealm.isUserInRole, which causes a NPE in 
> javax.security.jacc.WebRoleRefPermission.hashCode().
> JAASJettyRealm.isUserInRole creates a WebRoleRefPermission, passing it the 
> null role that it was passed, then delegates the role check to 
> java.security.AccessControlContext.checkPermission, passing it the WebRoleRefPermission.
> When the web role ref permission gets checked, eventually its hashcode method is called,
> which tries to compute the hash by getting the hashcode of the (null) role name,
> which throws the NPE.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira