May get an NPE in URLEncoder.encode when OAuth provder gets bad clientId TS003459997 #11977
Labels
bug
This bug is not present in a released version of Open Liberty
release bug
This bug is present in a released version of Open Liberty
release:20006
team:Security SSO
Milestone
Describe the bug
In oauth, it appears that, when making an authorization request, when a clientId does not exist, you may get an NPE from URLEncode. Here is the stack trace:
2020-03-19T12:27:41.904+0000] 00000af8 id=d9aa0b80 .ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl < resetSyncToOSThread Exit
[2020-03-19T12:27:41.896+0000] 00000ad4 id=00000000 com.ibm.ws.webcontainer.util.ApplicationErrorUtils E SRVE0777E: Exception thrown by application class 'java.net.URLEncoder.encode:225'
java.lang.NullPointerException
at java.net.URLEncoder.encode(URLEncoder.java:225)
at com.ibm.ws.security.oauth20.error.impl.OAuth20AuthorizeRequestExceptionHandler.handleResultException(OAuth20AuthorizeRequestExceptionHandler.java:251)
at com.ibm.ws.security.oauth20.web.UserAuthentication.renderErrorPage(UserAuthentication.java:487)
at com.ibm.ws.security.oauth20.web.OAuth20EndpointServices.handleEndpointRequest(OAuth20EndpointServices.java:252)
at com.ibm.ws.security.openidconnect.web.OidcEndpointServices.handleOidcRequest(OidcEndpointServices.java:274)
at com.ibm.ws.security.openidconnect.web.OidcEndpointServlet.doPost(OidcEndpointServlet.java:55)
at com.ibm.ws.security.openidconnect.web.OidcEndpointServlet.doGet(OidcEndpointServlet.java:49)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:686)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1230)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:729)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:426)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.invokeTarget(WebAppFilterChain.java:182)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:93)
at com.ibm.ws.security.openidconnect.web.OidcRequestFilter.setEndpointRequest(OidcRequestFilter.java:41)
at com.ibm.ws.security.oauth20.web.OAuth20RequestFilter.doFilter(OAuth20RequestFilter.java:93)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:201)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:90)
at com.ibm.ws.app.manager.wab.internal.OsgiDirectoryProtectionFilter.doFilter(OsgiDirectoryProtectionFilter.java:90)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:201)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:90)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:1001)
...
OAuth20AuthorizeRequestExceptionHandler.java:251 is the line in this try block
I suggest two things here:
Expected behavior
Don't get an NPE in URLEncode
Diagnostic information:
java -version
]Java(TM) SE Runtime Environment (8.0.6.5 - pxa6480sr6fp5ifix-20200304_01(SR6 FP5+IJ23018
The text was updated successfully, but these errors were encountered: