RFR: 8282730: LdapLoginModule throw NPE from logout method after login failure

Weijun Wang weijun at openjdk.org
Mon Jul 11 21:05:57 UTC 2022

On Mon, 11 Jul 2022 20:09:31 GMT, Sean Mullan <mullan at openjdk.org> wrote:

>> Add null-checks in all `LoginModule` implementations. It's possible that an application calls `logout` after a login failure, where most internal variables for principals and credentials are null and removing a null from the `Subject`'s principals and credentials sets will trigger a `NullPointerException`.
> test/jdk/javax/security/auth/login/modules/SafeLogout.java line 37:
>> 35:  * @bug 8282730
>> 36:  * @key randomness
>> 37:  * @summary LdapLoginModule throw NPE from logout method after login failure
> I think the summary can be more descriptive here and doesn't have to match the bug description. How about "Check that all LoginModule implementations don't throw NPE from logout method after login failure"


> test/jdk/javax/security/auth/login/modules/SafeLogout.java line 51:
>> 49: 
>> 50:     static void test(int pos) throws Exception {
>> 51:         // Create random JAAS login config.
> I'm probably missing something obvious, but can you explain why this test uses a random login config? I would add some comments explaining that more.

I cannot find a way to test all combinations so I make it random. If it really fails I make sure the login module name, flag, and whether there is a login attempt are printed out so I can reproduce it.


PR: https://git.openjdk.org/jdk/pull/9348

More information about the security-dev mailing list