| Anonymous | Login | Signup for a new account | 04-23-2024 21:37 PDT |
| Main | My View | View Issues | Change Log | Docs |
| Viewing Issue Simple Details [ Jump to Notes ] | [ View Advanced ] [ Issue History ] [ Print ] | ||||||||
| ID | Category | Severity | Reproducibility | Date Submitted | Last Update | ||||
| 0000469 | [Resin] | minor | always | 11-30-05 10:56 | 01-26-06 19:31 | ||||
| Reporter | ferg | View Status | public | ||||||
| Assigned To | ferg | ||||||||
| Priority | high | Resolution | fixed | ||||||
| Status | closed | Product Version | |||||||
| Summary | 0000469: Container-Managed security nullpointer | ||||||||
| Description |
(rep by Shane Cruz) When recently switching to container-managed security (and FORM-based authentication) in Resin Pro 3.0.14 we noticed what appears to be a bug in Resin that results in a NullPointerException being thrown. The error occurs in the following scenario: Web Application Name: bo20 Security Constraints (specified in web.xml): <security-constraint> <web-resource-collection> <web-resource-name>BrokerOfficeApp</web-resource-name> <description>Broker Office Web Application</description> <url-pattern>/app/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>BROKER_OFFICE</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.do</form-login-page> <form-error-page>/loginError.do</form-error-page> </form-login-config> </login-config> To get the NPE, the client browser requests a secure page (e.g., /bo20/app/home.do). Resin correctly redirects the request to the login.do page that contains the j_security_check form. Once authenticated, the user is properly redirected to /bo20/app/home.do. Up until this point, everything is working fine. The problem occurs when the user clicks on any link from the main page and then clicks the back button. When this happens, Resin throws a NullPointerException because the client request is for /bo20/app/j_security_check. Shouldn’t Resin be doing a redirect after the container authentication so the back button does not attempt to load the j_security_check page? Is there some way for us to work around this that I am not aware of? We also noticed that if an unauthenticated user requests a secure page and then sits on the login screen until the session times out, a successful login will also cause a NPE. I am guessing this is because Resin is storing the user-requested URL in the session. Shouldn’t Resin also be handling this scenario so a NPE does not occur? |
||||||||
| Additional Information | |||||||||
| Attached Files | |||||||||
|
|
|||||||||
 Relationships |
|
|
Notes |
|
|
(0000494) ferg 11-30-05 10:57 |
java.lang.NullPointerException at java.util.Hashtable.get(Hashtable.java:336) at com.caucho.server.security.XmlAuthenticator.loginImpl(XmlAuthenticator.java:138) at com.caucho.server.security.AbstractAuthenticator.login(AbstractAuthenticator.java:206) at com.caucho.server.security.AuthenticatorList.login(AuthenticatorList.java:103) at com.caucho.server.security.FormLoginServlet.service(FormLoginServlet.java:76) at com.caucho.server.dispatch.ServletFilterChain.doFilter(ServletFilterChain.java:99) at com.caucho.server.webapp.NamedDispatcherImpl.forward(NamedDispatcherImpl.java:119) at com.caucho.server.dispatch.ForwardFilterChain.doFilter(ForwardFilterChain.java:74) at com.caucho.server.security.SecurityFilterChain.doFilter(SecurityFilterChain.java:135) at com.caucho.server.cache.CacheFilterChain.doFilter(CacheFilterChain.java:209) at com.caucho.server.webapp.WebAppFilterChain.doFilter(WebAppFilterChain.java:163) at com.caucho.server.dispatch.ServletInvocation.service(ServletInvocation.java:208) at com.caucho.server.http.HttpRequest.handleRequest(HttpRequest.java:259) at com.caucho.server.port.TcpConnection.run(TcpConnection.java:363) at com.caucho.util.ThreadPool.runTasks(ThreadPool.java:490) at com.caucho.util.ThreadPool.run(ThreadPool.java:423) at java.lang.Thread.run(Thread.java:595) |
|
(0000799) ferg 01-26-06 19:31 |
server/12h4 |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 11-30-05 10:56 | ferg | New Issue | |
| 11-30-05 10:57 | ferg | Note Added: 0000494 | |
| 11-30-05 14:10 | ferg | Status | new => assigned |
| 11-30-05 14:10 | ferg | Assigned To | => ferg |
| 11-30-05 14:10 | ferg | Status | assigned => acknowledged |
| 01-26-06 19:31 | ferg | Note Added: 0000799 | |
| 01-26-06 19:31 | ferg | Status | acknowledged => closed |
| 01-26-06 19:31 | ferg | Resolution | open => fixed |
| 01-26-06 19:31 | ferg | Fixed in Version | => 3.0.18 |
| 01-26-06 19:31 | ferg | View Status | @0@ => public |
| Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
30 total queries executed. 26 unique queries executed. |  |
