Bug 54438 - Bug fix 52953 introduces NullPointerException in RealmBase.java line 409 when user not found in JDBC
Bug fix 52953 introduces NullPointerException in RealmBase.java line 409 when...
Status: RESOLVED FIXED
Product: Tomcat 7
Classification: Unclassified
Component: Catalina
7.0.27
All All
: P2 normal (vote)
: ---
Assigned To: Tomcat Developers Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2013-01-16 21:14 UTC by bruce weertman
Modified: 2013-01-17 14:33 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description bruce weertman 2013-01-16 21:14:31 UTC
The fix to bug 52953 introduces a NullPointerException at line 409
in RealBase.java

For example compare:
http://svn.apache.org/repos/asf/tomcat/tc7.0.x/tags/TOMCAT_7_0_26/java/org/apache/catalina/realm/RealmBase.java

and 
http://svn.apache.org/repos/asf/tomcat/tc7.0.x/tags/TOMCAT_7_0_27/java/org/apache/catalina/realm/RealmBase.java


String md5a1 = getDigest(username, realm);
was changed to
String md5a1 = getDigest(username, realm).toLowerCase(Locale.ENGLISH);

If getDigest(username,realm) returns null if the user is not found
and as a result you get a NPE when toLowerCase() is invoked on the null.

I looked in the trunk, and the code hasn't changed.

Seems like there should already be a bug posted on this as it makes digest
authentication useless, but I can't find one!
Comment 1 bruce weertman 2013-01-16 21:18:49 UTC
There's also an issue with logging and this bug as the NullPointerException
is not logged in any of the standard log file (catalina.out etc).

For example, this is what is returned in a web browser, but no mention of this 
is found in any of the log files.

HTTP Status 500 -

type Exception report

message

description The server encountered an internal error that prevented it from fulfilling this request.

exception

java.lang.NullPointerException
	org.apache.catalina.realm.RealmBase.authenticate(RealmBase.java:409)
	org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:111)
	org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:150)
	org.apache.catalina.authenticator.DigestAuthenticator$DigestInfo.authenticate(DigestAuthenticator.java:720)
	org.apache.catalina.authenticator.DigestAuthenticator.authenticate(DigestAuthenticator.java:294)
	org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)
	org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
	org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
	org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
	org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
	org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
	org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
	java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
	java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
	java.lang.Thread.run(Thread.java:680)
note The full stack trace of the root cause is available in the Apache Tomcat/7.0.34 logs.
Comment 2 Mark Thomas 2013-01-17 14:33:50 UTC
Thanks for the report. This has been fixed in trunk and 7.0.x and will be included in 7.0.36 onwards.