RFR: 8282730: LdapLoginModule throw NPE from logout method after login failure
Sean Mullan
mullan at openjdk.org
Mon Jul 11 18:55:43 UTC 2022
On Fri, 1 Jul 2022 17:31:06 GMT, Weijun Wang <weijun at openjdk.org> wrote:
> Add null-checks in all `LoginModule` implementations. It's possible that an application calls `logout` after a login failure, where most internal variables for principals and credentials are null and removing a null from the `Subject`'s principals and credentials sets will trigger a `NullPointerException`.
A couple of minor comments so far; still reviewing.
src/jdk.security.auth/share/classes/com/sun/security/auth/module/JndiLoginModule.java line 483:
> 481: subject.getPrincipals().remove(GIDPrincipal);
> 482: }
> 483: if (supplementaryGroups != null) {
This line is harmless, but you could take it out as supplementaryGroups is never null.
src/jdk.security.auth/share/classes/com/sun/security/auth/module/UnixLoginModule.java line 289:
> 287: subject.getPrincipals().remove(GIDPrincipal);
> 288: }
> 289: if (supplementaryGroups != null) {
This line is harmless, but you could take it out as supplementaryGroups is never null.
-------------
PR: https://git.openjdk.org/jdk/pull/9348
More information about the security-dev
mailing list