RFR: 8282730: LdapLoginModule throw NPE from logout method after login failure

Weijun Wang weijun at openjdk.org
Fri Jul 8 04:06:39 UTC 2022


On Fri, 1 Jul 2022 17:31:06 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> Add null-checks in all `LoginModule` implementations. It's possible that an application calls `logout` after a login failure, where most internal variables for principals and credentials are null and removing a null from the `Subject`'s principals and credentials sets will trigger a `NullPointerException`.

src/jdk.security.auth/share/classes/com/sun/security/auth/module/JndiLoginModule.java line 485:

> 483:         if (supplementaryGroups != null) {
> 484:             for (int i = 0; i < supplementaryGroups.size(); i++) {
> 485:                 subject.getPrincipals().remove(supplementaryGroups.get(i));

To be safest, I can check if `supplementaryGroups.get(i)` is null too. Same in `NTLoginModule` and `UnixLoginModule`.

src/jdk.security.auth/share/classes/com/sun/security/auth/module/NTLoginModule.java line 368:

> 366:         }
> 367:         if (groups != null) {
> 368:             for (int i = 0; groups != null && i < groups.length; i++) {

Oops, `groups != null` is already checked here. Will revert.

-------------

PR: https://git.openjdk.org/jdk/pull/9348


More information about the security-dev mailing list