Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-738

Coverity static analysis: Dereference null return value in SingleSignOnServerMechanismFactory (Elytron)

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 1.1.0.Beta15
    • None
    • None

      Coverity static-analysis scan found possible call on null object in SingleSignOnServerMechanismFactory.evaluateRequst() method:

      getTargetMechanism(mechanismName, singleSignOnSession).evaluateRequest(createHttpServerRequest(request, singleSignOnSession));

      https://scan7.coverity.com/reports.htm#v16159/p11778/fileInstanceId=5760259&defectInstanceId=1541379&mergedDefectId=1369284

      The problem is the getTargetMechanism call, which just calls an HttpServerAuthenticationMechanismFactory.createAuthenticationMechanism() method.

      The createAuthenticationMechanism doesn't declare it could return null, nevertheless, the implementations use null as fallback (e.g. look at ServerMechanismFactoryImpl.createAuthenticationMechanism())

      Suggested improvement
      I see 2 possible solutions:
      1. Declare in javadoc of HttpServerAuthenticationMechanismFactory.createAuthenticationMechanism() method, that it can return null and add the null-check into the SingleSignOnServerMechanismFactory.evaluateRequst() method
      2. or throw an exception from HttpServerAuthenticationMechanismFactory.createAuthenticationMechanism() implementations instead of returning null

            rhn-support-ivassile Ilia Vassilev
            josef.cacek@gmail.com Josef Cacek (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: