You are viewing a plain text version of this content. The canonical link for it is here.

Posted to oak-issues@jackrabbit.apache.org by "angela (JIRA)" <ji...@apache.org> on 2019/04/11 14:42:00 UTC

[jira] [Created] (OAK-8229) LoginModuleImpl.commit will end in NPE if credentials are null

angela created OAK-8229:
---------------------------

             Summary: LoginModuleImpl.commit will end in NPE if credentials are null
                 Key: OAK-8229
                 URL: https://issues.apache.org/jira/browse/OAK-8229
             Project: Jackrabbit Oak
          Issue Type: Bug
          Components: core, security
            Reporter: angela
            Assignee: angela


[~stillalex], i spotted an NPE with {{LoginModuleImpl.commit}} under the following circumstances:

- no {{Credentials}} have been extracted during the login() (see {{getCredentials}}
- if the {{Subject}} is not read-only commit() will add the null credentials objects to the public credentials set
- the subsequent attempt to also add the {{AuthInfo}} will result in a NPE.

the fix should be fairly easy, avoiding pushing null credentials to the subject

{code}
if (!subject.isReadOnly()) {
                Set<Principal> principals = subject.getPrincipals();
                if (principal != null) {
                    principals.addAll(getPrincipals(principal));
                } else if (userId != null) {
                    principals.addAll(getPrincipals(userId));
                }
// FIX: extra check for null
                if (credentials != null) {
                    subject.getPublicCredentials().add(credentials);
                }
                setAuthInfo(createAuthInfo(principals), subject);
            } else {
                log.debug("Could not add information to read only subject {}", subject);
            }
{code}




--
This message was sent by Atlassian JIRA
(v7.6.3#76005)