0000469: Container-Managed security nullpointer

469

minor

always

11-30-05 10:56

01-26-06 19:31

Reporter:

ferg

Platform:

Assigned To:

ferg

OS:

Priority:

high

OS Version:

Status:

closed

Product Version:

Product Build:

Resolution:

fixed

Projection:

none

ETA:

none

Fixed in Version:

3.0.18

Summary:

0000469: Container-Managed security nullpointer

Description:

(rep by Shane Cruz)

When recently switching to container-managed security (and FORM-based authentication) in Resin Pro 3.0.14 we noticed what appears to be a bug in Resin that results in a NullPointerException being thrown. The error occurs in the following scenario:

Web Application Name: bo20

Security Constraints (specified in web.xml):

      <security-constraint>
            <web-resource-collection>
                  <web-resource-name>BrokerOfficeApp</web-resource-name>
                  <description>Broker Office Web Application</description>
                  <url-pattern>/app/*</url-pattern>
            </web-resource-collection>

            <auth-constraint>
                  <role-name>BROKER_OFFICE</role-name>
            </auth-constraint>

            <user-data-constraint>
                  <transport-guarantee>NONE</transport-guarantee>
            </user-data-constraint>
      </security-constraint>

      <login-config>

            <auth-method>FORM</auth-method>

            <form-login-config>
                  <form-login-page>/login.do</form-login-page>
                  <form-error-page>/loginError.do</form-error-page>
            </form-login-config>

      </login-config>

To get the NPE, the client browser requests a secure page (e.g., /bo20/app/home.do). Resin correctly redirects the request to the login.do page that contains the j_security_check form. Once authenticated, the user is properly redirected to /bo20/app/home.do. Up until this point, everything is working fine. The problem occurs when the user clicks on any link from the main page and then clicks the back button. When this happens, Resin throws a NullPointerException because the client request is for /bo20/app/j_security_check.

Shouldn’t Resin be doing a redirect after the container authentication so the back button does not attempt to load the j_security_check page? Is there some way for us to work around this that I am not aware of?

We also noticed that if an unauthenticated user requests a secure page and then sits on the login screen until the session times out, a successful login will also cause a NPE. I am guessing this is because Resin is storing the user-requested URL in the session. Shouldn’t Resin also be handling this scenario so a NPE does not occur?

Steps To Reproduce:

Additional Information:

Relationships

Attached Files:

Mantis - Resin
Viewing Issue Advanced Details

ID:	Category:	Severity:	Reproducibility:	Date Submitted:	Last Update:
469		minor	always	11-30-05 10:56	01-26-06 19:31

Reporter:	ferg	Platform:
Assigned To:	ferg	OS:
Priority:	high	OS Version:
Status:	closed	Product Version:
Product Build:		Resolution:	fixed
Projection:	none
ETA:	none	Fixed in Version:	3.0.18

Summary:	0000469: Container-Managed security nullpointer
Description:	(rep by Shane Cruz) When recently switching to container-managed security (and FORM-based authentication) in Resin Pro 3.0.14 we noticed what appears to be a bug in Resin that results in a NullPointerException being thrown. The error occurs in the following scenario: Web Application Name: bo20 Security Constraints (specified in web.xml): <security-constraint> <web-resource-collection> <web-resource-name>BrokerOfficeApp</web-resource-name> <description>Broker Office Web Application</description> <url-pattern>/app/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>BROKER_OFFICE</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.do</form-login-page> <form-error-page>/loginError.do</form-error-page> </form-login-config> </login-config> To get the NPE, the client browser requests a secure page (e.g., /bo20/app/home.do). Resin correctly redirects the request to the login.do page that contains the j_security_check form. Once authenticated, the user is properly redirected to /bo20/app/home.do. Up until this point, everything is working fine. The problem occurs when the user clicks on any link from the main page and then clicks the back button. When this happens, Resin throws a NullPointerException because the client request is for /bo20/app/j_security_check. Shouldn’t Resin be doing a redirect after the container authentication so the back button does not attempt to load the j_security_check page? Is there some way for us to work around this that I am not aware of? We also noticed that if an unauthenticated user requests a secure page and then sits on the login screen until the session times out, a successful login will also cause a NPE. I am guessing this is because Resin is storing the user-requested URL in the session. Shouldn’t Resin also be handling this scenario so a NPE does not occur?
Steps To Reproduce:
Additional Information:
Relationships
Attached Files: