Bug 65308 - NPE in JNDIRealm when no userRoleAttribute is given
Summary: NPE in JNDIRealm when no userRoleAttribute is given
Alias: None
Product: Tomcat 10
Classification: Unclassified
Component: Catalina (show other bugs)
Version: unspecified
Hardware: All All
: P2 normal (vote)
Target Milestone: ------
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2021-05-15 12:13 UTC by Felix Schumacher
Modified: 2021-05-25 17:54 UTC (History)
1 user (show)

Check for null values before escaping values (6.99 KB, patch)
2021-05-15 12:13 UTC, Felix Schumacher
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Schumacher 2021-05-15 12:13:52 UTC
Created attachment 37863 [details]
Check for null values before escaping values

This is a regression in JNDIRealm caused by Bug 65224.

If no "userRoleAttribute" is specified on the JNDIRealm, its default value of null will be used. That will cause a NPE in JNDIRealm#doFilterEscaping and/or JNDIRealm#doAttributeValueEscaping.

Mai 15, 2021 2:10:59 PM org.apache.catalina.realm.JNDIRealm authenticate
INFORMATION: Exception performing authentication. Retrying...
	at org.apache.catalina.realm.JNDIRealm.doAttributeValueEscaping(JNDIRealm.java:2889)
	at org.apache.catalina.realm.JNDIRealm.getRoles(JNDIRealm.java:1892)
	at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1320)
	at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1232)

Simplest solution is to return null in both escape methods, when null is passed in.

The attached patch also adds the unbound-ldapsdk to the eclipse class path.
Comment 1 Remy Maucherat 2021-05-15 14:25:10 UTC
+1 for your patch, obviously. You can add the tests of course, but you could do without them as well it's just adding a null check, so it cannot possibly break anything and we know it will work.
Comment 2 Felix Schumacher 2021-05-16 12:29:46 UTC
I kept the changes to the test cases, as they would catch the NPE in case
we re-introduce this bug.

Fixed in:
- 10.0.x for 10.0.7 onwards
- 9.0.x for 9.0.47 onwards
- 8.5.x for 8.5.67 onwards
Comment 3 Mark Thomas 2021-05-16 15:20:32 UTC
Thanks for catching this,
Comment 4 Mark Thomas 2021-05-25 17:54:59 UTC
*** Bug 65330 has been marked as a duplicate of this bug. ***