RFR: 8282730: LdapLoginModule throw NPE from logout method after login failure
Weijun Wang
weijun at openjdk.org
Fri Jul 8 04:06:39 UTC 2022
On Fri, 1 Jul 2022 17:31:06 GMT, Weijun Wang <weijun at openjdk.org> wrote:
> Add null-checks in all `LoginModule` implementations. It's possible that an application calls `logout` after a login failure, where most internal variables for principals and credentials are null and removing a null from the `Subject`'s principals and credentials sets will trigger a `NullPointerException`.
src/jdk.security.auth/share/classes/com/sun/security/auth/module/JndiLoginModule.java line 485:
> 483: if (supplementaryGroups != null) {
> 484: for (int i = 0; i < supplementaryGroups.size(); i++) {
> 485: subject.getPrincipals().remove(supplementaryGroups.get(i));
To be safest, I can check if `supplementaryGroups.get(i)` is null too. Same in `NTLoginModule` and `UnixLoginModule`.
src/jdk.security.auth/share/classes/com/sun/security/auth/module/NTLoginModule.java line 368:
> 366: }
> 367: if (groups != null) {
> 368: for (int i = 0; groups != null && i < groups.length; i++) {
Oops, `groups != null` is already checked here. Will revert.
-------------
PR: https://git.openjdk.org/jdk/pull/9348
More information about the security-dev
mailing list