You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "angela (JIRA)" <ji...@apache.org> on 2019/04/11 14:42:00 UTC
[jira] [Created] (OAK-8229) LoginModuleImpl.commit will end in NPE
if credentials are null
angela created OAK-8229:
---------------------------
Summary: LoginModuleImpl.commit will end in NPE if credentials are null
Key: OAK-8229
URL: https://issues.apache.org/jira/browse/OAK-8229
Project: Jackrabbit Oak
Issue Type: Bug
Components: core, security
Reporter: angela
Assignee: angela
[~stillalex], i spotted an NPE with {{LoginModuleImpl.commit}} under the following circumstances:
- no {{Credentials}} have been extracted during the login() (see {{getCredentials}}
- if the {{Subject}} is not read-only commit() will add the null credentials objects to the public credentials set
- the subsequent attempt to also add the {{AuthInfo}} will result in a NPE.
the fix should be fairly easy, avoiding pushing null credentials to the subject
{code}
if (!subject.isReadOnly()) {
Set<Principal> principals = subject.getPrincipals();
if (principal != null) {
principals.addAll(getPrincipals(principal));
} else if (userId != null) {
principals.addAll(getPrincipals(userId));
}
// FIX: extra check for null
if (credentials != null) {
subject.getPublicCredentials().add(credentials);
}
setAuthInfo(createAuthInfo(principals), subject);
} else {
log.debug("Could not add information to read only subject {}", subject);
}
{code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)