Bug 60694 - Potential NullPointerException in AuthenticatorBase.getJaspicProvider()
Summary: Potential NullPointerException in AuthenticatorBase.getJaspicProvider()
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 8.5.11
Hardware: All All
: P2 normal (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-02-06 09:04 UTC by Andy Wilkinson
Modified: 2017-02-14 09:29 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andy Wilkinson 2017-02-06 09:04:04 UTC
AuthenticatorBase.getJaspicProvider() can throw a NullPointerException. The code in question is:

AuthConfigFactory factory = AuthConfigFactory.getFactory();
provider = factory.getConfigProvider("HttpServlet", jaspicAppContextID, this);

The javadoc for AuthConfigFactory.getFactory() states that it returns:

The non-null system-wide AuthConfigFactory instance set at the time of the call, or if that value was null, the value of the system-wide factory instance established by this method. This method returns null when the  system-wide factory was not defined when this method was called and no default factory name was defined via the security property.

When it returns null, a NullPointerException occurs:

java.lang.NullPointerException: null
            at org.apache.catalina.authenticator.AuthenticatorBase.getJaspicProvider(AuthenticatorBase.java:1192)
            at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:465)
            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
            at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:349)
            at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:783)
            at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
            at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:798)
            at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1434)
            at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
            at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
            at java.lang.Thread.run(Thread.java:745)

This was originally reported against Spring Boot using embedded Tomcat when the user also had javax:javaee-api on the classpath.
Comment 1 Mark Thomas 2017-02-14 09:29:13 UTC
Thanks for the report.

Fixed in:
- trunk for 9.0.0.M18 onwards
- 8.5.x for 8.5.12 onwards

Earlier versions are not affected (no JASPIC support)