Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OidcClientImpl does not properly declare a dependency on SecurityService #22405

Closed
jensengelke opened this issue Sep 7, 2022 · 2 comments
Closed

OidcClientImpl does not properly declare a dependency on SecurityService #22405

jensengelke opened this issue Sep 7, 2022 · 2 comments
Assignees
@arunavemulapalli
Labels
release bug This bug is present in a released version of Open Liberty release:220013 f9d0c4 team:Security SSO
Projects
Security SSO

Comments

@jensengelke
Copy link

https://github.com/OpenLiberty/open-liberty/blob/release-22.0.0.3/dev/com.ibm.ws.security.openidconnect.client/bnd.bnd should have an entry like

securityService=com.ibm.ws.security.SecurityService; \
dynamic:='oidcClientConfig,sslSupport,authFilter,securityService'; \

When invoking request.logout() from a ServletFilter intercepting traffic to form-based logout URL ibm_security_logout on 22.0.0.3, we see a NPE:

Stack Dump = java.lang.NullPointerException
        at com.ibm.ws.security.openidconnect.client.internal.OidcClientImpl.authenticateSubject(OidcClientImpl.java:749)
        at com.ibm.ws.security.openidconnect.client.internal.OidcClientImpl.handleOidcCookie(OidcClientImpl.java:722)
        at com.ibm.ws.security.openidconnect.client.internal.OidcClientImpl.logout(OidcClientImpl.java:663)
        at com.ibm.ws.webcontainer.security.AuthenticateApi.logoutUnprotectedResourceServiceRef(AuthenticateApi.java:244)
        at com.ibm.ws.webcontainer.security.AuthenticateApi.logout(AuthenticateApi.java:189)
        at com.ibm.ws.webcontainer.security.AuthenticateApi.logoutServlet30(AuthenticateApi.java:627)
        at com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl.logout(WebAppSecurityCollaboratorImpl.java:1212)
        at com.ibm.ws.webcontainer.srt.SRTServletRequest.logout(SRTServletRequest.java:3956)
        at javax.servlet.http.HttpServletRequestWrapper.logout(HttpServletRequestWrapper.java:376)
        at com.ibm.bpm.servlet.filters.GenericSecurityServletFilter.doFilter(GenericSecurityServletFilter.java:327)
        at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:201)

FYI @teddyjtorres
@jensengelke
Copy link
Author

The target release for a shipment invoking this code is Liberty 22.0.0.9

@teddyjtorres teddyjtorres added this to Backlog in Security SSO Sep 19, 2022
@arunavemulapalli arunavemulapalli mentioned this issue Nov 16, 2022
Merged
@arunavemulapalli arunavemulapalli added release:22009 release bug This bug is present in a released version of Open Liberty and removed release:22009 Needs member attention labels Nov 16, 2022
@arunavemulapalli arunavemulapalli self-assigned this Nov 16, 2022
Security SSO automation moved this from Backlog to Done Dec 1, 2022
@arunavemulapalli
Copy link
Contributor

Jens, Closed this issue as the fix is already verified

@LibbyBot LibbyBot added the release:220013 f9d0c4 label Dec 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@arunavemulapalli arunavemulapalli

Labels
release bug This bug is present in a released version of Open Liberty release:220013 f9d0c4 team:Security SSO
Projects
Security SSO
Status: Done
Security SSO
  
Done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jensengelke @ayoho @arunavemulapalli @LibbyBot