ServletRequestWrapper Null Pointer Error

flintdk
2011-10-12
2013-05-08
  • flintdk

    flintdk - 2011-10-12

    Hello all,

    I am currently using jGuard 1.0.4 for my webapp.  I recently noticed that in the class net.sf.jguard.jee.authentication.http.JGuardServletRequestWrapper jGuard provides an implementation of the 'isUserInRole()' method.  The implementation in version 1.0.4 is as follows:

        /**
         * wrap the isUserInRole method to check against
         * all the {@link RolePrincipal}'s set of the Subject object.
         * @param role : name of the principal(role) we are looking for
         * @return boolean :return 'true' if one of the principal the Subject
         * owns has got the same name.return 'false' otherwise.
         */
        public boolean isUserInRole(String role){
            String applicationName = (String) request.getSession(true).getServletContext().getAttribute(CoreConstants.APPLICATION_NAME);
            role = RolePrincipal.getName(role, applicationName);
            Subject subject = ((HttpAuthenticationUtils)request.getSession().getAttribute(HttpConstants.AUTHN_UTILS)).getSubject();
            Set principals = subject.getPrincipals(RolePrincipal.class);
            Iterator itPrincipals = principals.iterator();
            while(itPrincipals.hasNext()){
                Principal principal = (Principal)itPrincipals.next();
                if(role.equals(principal.getName())){
                    return true;
                }
            }
            return false;
        }
    

    This can lead to null pointer errors if the isUserInRole() method is called after the session is invalidated (as the authUtils will be null).  While this is an unusual scenario, it is not impossible.  I've added a null check (as follows) to my own version of the method which appears to fix the problem:

      public boolean isUserInRole(String role){
        String applicationName = (String) request.getSession(true).getServletContext().getAttribute(CoreConstants.APPLICATION_NAME);
        role = RolePrincipal.getName(role, applicationName);
        // if isUserInRole is called after the session has been invalidated, then
        // authUtils will be null - so perform a sanity check before referencing
        // them...
        HttpAuthenticationUtils authUtils = (HttpAuthenticationUtils) request.getSession().getAttribute(HttpConstants.AUTHN_UTILS);
        if (authUtils != null) {
          Subject subject = ((HttpAuthenticationUtils)request.getSession().getAttribute(HttpConstants.AUTHN_UTILS)).getSubject();
          Set<RolePrincipal> principals = subject.getPrincipals(RolePrincipal.class);
          Iterator<RolePrincipal> itPrincipals = principals.iterator();
          while(itPrincipals.hasNext()){
            Principal principal = (Principal)itPrincipals.next();
            if(role.equals(principal.getName())){
              return true;
            }
          }
        }
        return false;
      }
    

    I'm posting this here for general comment and to highlight this so it can be included in version 2.0 (if appropriate).

    Regards.

     
  • Charles Lescot

    Charles Lescot - 2011-11-05

    hi,
    sorry for the delay to answer, and thanks to your feedback.
    in the 2.0 future version, the logic of the isUserInRole and getRemoteUSer is handled by the JEERequestWrapperUtil class.
    a test has been created (jguard.git.sourceforge.net/git/gitweb.cgi?p=jguard/jguard;a=blob;f=jguard-jee/src/test/java/net/sf/jguard/jee/authentication/http/JEERequestWrapperUtilTest.java), to validate some nullity and empty tests added from your feedback (coverage 100%).

    hope it adress your remark, and thank you very much for your feedback!

    Charles.

     
  • flintdk

    flintdk - 2011-11-07

    Hi Charles,

    Thanks for taking the comments on board and for adding the test class. Can't wait to see jGuard 2.0!

    Regards,

    Tomás.

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks