Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-1085

ServletSecurityRoleHandler throws NullPointerException

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Minor
    • 2.0.0.Beta1, 1.4.17.Final
    • 1.4.15.Final
    • Servlet
    • None
    • Hide

      ServletSecurityRoleHandler throws NullPointerException if securityDisabled is true.

      Test case:

      import java.io.IOException;
import java.io.Writer;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import io.undertow.Undertow;
import io.undertow.server.HttpHandler;
import io.undertow.server.handlers.PathHandler;
import io.undertow.servlet.api.DeploymentInfo;
import io.undertow.servlet.api.DeploymentManager;
import io.undertow.servlet.api.ServletContainer;
import io.undertow.servlet.api.ServletInfo;

public class DisableSecurityTest {

    public static class HelloWorldServlet extends HttpServlet {

        private static final long serialVersionUID = 1L;

        @Override
        protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
            try (Writer writer = resp.getWriter()) {
                writer.write("hi");
            }
        }
    }

    public static void main(String[] args) {
        DeploymentInfo deployment = new DeploymentInfo();
        deployment.setContextPath("/");
        deployment.setDeploymentName("test");
        deployment.setClassLoader(Thread.currentThread().getContextClassLoader());
        deployment.setSecurityDisabled(true);

        deployment.addServlet(
                        new ServletInfo("HelloWorldServlet", HelloWorldServlet.class)
                        .addMapping("/hi"));

        ServletContainer container = ServletContainer.Factory.newInstance();
        DeploymentManager manager = container.addDeployment(deployment);
        HttpHandler handler;
        PathHandler root;
        try {
            manager.deploy();
            handler = manager.start();
            root = new PathHandler();
            root.addPrefixPath(deployment.getContextPath(), handler);
        } catch (ServletException e) {
            throw new RuntimeException(e);
        }

        Undertow server = Undertow
                            .builder()
                            .addHttpListener(8080, "localhost")
                            .setHandler(root)
                            .build();

        server.start();
    }
}

      Bug fix:

      public class ServletPathMatches {
    private static ServletChain servletChain(HttpHandler next, final ManagedServlet managedServlet, final String servletPath, final DeploymentInfo deploymentInfo, boolean defaultServlet) {
        ++++ if (!deploymentInfo.isSecurityDisabled()) {
            HttpHandler servletHandler = new ServletSecurityRoleHandler(next, deploymentInfo.getAuthorizationManager());
            servletHandler = wrapHandlers(servletHandler, managedServlet.getServletInfo().getHandlerChainWrappers());
++++ return new ServletChain(servletHandler, managedServlet, servletPath, defaultServlet);
        ++++ }
        return new ServletChain(next, managedServlet, servletPath, defaultServlet);
    }
}

      Stack Trace:

      java.lang.NullPointerException
	at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:55)
	at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
	at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
	at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
	at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:211)
	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:809)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)
      Show
      ServletSecurityRoleHandler throws NullPointerException if securityDisabled is true. Test case: import java.io.IOException; import java.io.Writer; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import io.undertow.Undertow; import io.undertow.server.HttpHandler; import io.undertow.server.handlers.PathHandler; import io.undertow.servlet.api.DeploymentInfo; import io.undertow.servlet.api.DeploymentManager; import io.undertow.servlet.api.ServletContainer; import io.undertow.servlet.api.ServletInfo; public class DisableSecurityTest { public static class HelloWorldServlet extends HttpServlet { private static final long serialVersionUID = 1L; @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { try (Writer writer = resp.getWriter()) { writer.write( "hi" ); } } } public static void main( String [] args) { DeploymentInfo deployment = new DeploymentInfo(); deployment.setContextPath( "/" ); deployment.setDeploymentName( "test" ); deployment.setClassLoader( Thread .currentThread().getContextClassLoader()); deployment.setSecurityDisabled( true ); deployment.addServlet( new ServletInfo( "HelloWorldServlet" , HelloWorldServlet.class) .addMapping( "/hi" )); ServletContainer container = ServletContainer.Factory.newInstance(); DeploymentManager manager = container.addDeployment(deployment); HttpHandler handler; PathHandler root; try { manager.deploy(); handler = manager.start(); root = new PathHandler(); root.addPrefixPath(deployment.getContextPath(), handler); } catch (ServletException e) { throw new RuntimeException(e); } Undertow server = Undertow .builder() .addHttpListener(8080, "localhost" ) .setHandler(root) .build(); server.start(); } } Bug fix: public class ServletPathMatches { private static ServletChain servletChain(HttpHandler next, final ManagedServlet managedServlet, final String servletPath, final DeploymentInfo deploymentInfo, boolean defaultServlet) { ++++ if (!deploymentInfo.isSecurityDisabled()) { HttpHandler servletHandler = new ServletSecurityRoleHandler(next, deploymentInfo.getAuthorizationManager()); servletHandler = wrapHandlers(servletHandler, managedServlet.getServletInfo().getHandlerChainWrappers()); ++++ return new ServletChain(servletHandler, managedServlet, servletPath, defaultServlet); ++++ } return new ServletChain(next, managedServlet, servletPath, defaultServlet); } } Stack Trace: java.lang.NullPointerException at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:55) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:211) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:809) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang. Thread .run( Thread .java:745)

    Attachments

      Activity

        People

          sdouglas1@redhat.com Stuart Douglas
          ui4j_jira Ozhan Duz (Inactive)
          Votes:
          0 Vote for this issue
          Watchers:
          1 Start watching this issue

          Dates

            Created:
            Updated:
            Resolved: