8 Replies Latest reply on Jul 10, 2008 5:33 PM by leegreiner

NPE in ExtendedFormAuthenticator

leegreiner Apr 12, 2007 1:45 PM

I belive I have come across an issue when using the ExtendedFormAuthenticator in 4.0.5.GA. When a user sits on the login page for too long and their session expires the following NullPointerException is thrown in ExtendedFormAuthenticator.authenticate():

13:44:15,765 ERROR [CoyoteAdapter] An exception or error occurred in the container during the request processing
java.lang.NullPointerException
at org.jboss.web.tomcat.security.ExtendedFormAuthenticator.authenticate(ExtendedFormAuthenticator.java:104)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:416)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at org.jboss.web.tomcat.tc5.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:156)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
at java.lang.Thread.run(Thread.java:595)

The session appears to be null and an attempt is made to remove a note from the session thereby causing the NPE. Earlier references to the session are enclosed by if(session != null). The one attempting to remove the note is not.

Any comments?

1. Re: NPE in ExtendedFormAuthenticator

gdemir Jul 26, 2007 9:32 PM (in response to leegreiner)

Hi,

The same thing just happened to me as well. I think the code is buggy. Since the earlier reference had checked session to be not null, I believe at line 104, the same check should be applied too.

I will add the check to the code, and jar uf it.

Gokhan.
Actions
2. Re: NPE in ExtendedFormAuthenticator

anthonyestelita Aug 1, 2007 3:55 PM (in response to leegreiner)

Has there been any plans for this to be fixed? We too are experiencing the same exact issue (if a user sits at the login page for a period of time the NPE exception is thrown by the ExtendedFormAuthenticator). I searched the jboss bugs for this issue and I don't see a closed nor open bug for it. :-( Is there a workaround? Right now the user is forced to basically log-in twice (first time throws the NPE and the second time it works).
Actions
3. Re: NPE in ExtendedFormAuthenticator

leegreiner Aug 1, 2007 8:50 PM (in response to leegreiner)

I ended up writing my own authenticator, one that guarded against the NPE.
Actions
4. Re: NPE in ExtendedFormAuthenticator

anil.saldhana Aug 3, 2007 2:54 PM (in response to leegreiner)
http://jira.jboss.com/jira/browse/JBAS-4592
Actions
5. Re: NPE in ExtendedFormAuthenticator

rmartony Jul 9, 2008 12:29 PM (in response to leegreiner)

"leegreiner" wrote:
I ended up writing my own authenticator, one that guarded against the NPE.

Could you share your version of the ExtendedFormAuthenticator?

Thanks,
Rafael
Actions

6. Re: NPE in ExtendedFormAuthenticator

leegreiner Jul 9, 2008 1:34 PM (in response to leegreiner)

This was our solution:

package edu.duke.dcri.web.tomcat.security;

import java.io.IOException;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.deploy.LoginConfig;

public class ExtendedFormAuthenticator extends org.jboss.web.tomcat.security.ExtendedFormAuthenticator
{

 public ExtendedFormAuthenticator()
 {
 }

 public boolean authenticate(Request request, Response response, LoginConfig config)
 throws IOException
 {
 boolean alreadyAuthenticated = false;
 try
 {
 alreadyAuthenticated = super.authenticate(request, response, config);
 }
 catch(NullPointerException npe) { }
 return alreadyAuthenticated;
 }
}

When the NullPointerException is raised there is no session and the authenticator returns false, the desired effect.

7. Re: NPE in ExtendedFormAuthenticator

rmartony Jul 10, 2008 1:10 PM (in response to leegreiner)

That's great leegreiner, thanks.

Another question, how do I install the new authenticator?
Do I have to follow these (http://wiki.jboss.org/wiki/ExternalizeTomcatAuthenticators) instructions?

Currently I'm using the JBoss ExtendedFormAuthenticator via WEB-INF/context.xml descriptor with a Valve element. (http://wiki.jboss.org/wiki/ExtendedFormAuthenticator)

Regards,
Rafael.
Actions
8. Re: NPE in ExtendedFormAuthenticator

leegreiner Jul 10, 2008 5:33 PM (in response to leegreiner)

We typically drop a jar containing the authenticator in the default/lib directory so that all application deployed on the server have access to it but are not forced to use it by default.

Each application that wants to use the authenticator will include it as defined in the "Configuring the ExtendedFormAuthenticator for an Application" section of http://wiki.jboss.org/wiki/ExtendedFormAuthenticator.
Actions

Go to original post