NPE thrown when using anonymousUser

[mihaisimi]

• Overview of the issue
  NPE thrown when using anonymousUser. Caused by authentication.getPrincipal being a string ("anonymousUser") and not a User object.

ERROR 2016-01-11T10:55:49.286 [http-nio-8080-exec-4] o.a.c.c.C.[.[.[.dispatcherServlet Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is java.lang.IllegalStateException: User not found!] with root cause
java.lang.IllegalStateException: User not found!
at com.simi.biro.security.SecurityUtils.getCurrentUser(SecurityUtils.java:71) ~[classes/:na]
at com.simi.biro.service.UserService.getUserWithAuthorities(UserService.java:169) ~[classes/:na]
at com.simi.biro.service.UserService$$FastClassBySpringCGLIB$$2d6042b6.invoke() ~[classes/:na]
at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204) ~[spring-core-4.2.3.RELEASE.jar:4.2.3.RELEASE]

And in browser:
{"timestamp":"2016-01-11T08:55:49.291+0000","status":500,"error":"Internal Server Error","exception":"java.lang.IllegalStateException","message":"User not found!","path":"/api/account"}

• Motivation for or Use Case
  The errors are not cool, especially the browser ones.
• JHipster Version(s)

2.26.2

Don't know

• Browsers and Operating System

All browsers. Mac (El Capitan) and Linux.

• Related issues
  oauth authentication broken #2291, tried suggested fix there, didn't work
• Suggest a Fix

UserService.java:getUserWithAuthorities
Replace this:
//User user = userRepository.findOneByLogin(SecurityUtils.getCurrentUser().getUsername()).get();
With this (getCurrentLogin method already has the fix in it):
User user = userRepository.findOneByLogin(SecurityUtils.getCurrentUserLogin()).get();

Optionally in principal.service.js add a check for anonymousUser login to make sure we don't consider it as an authenticated account:
// retrieve the identity data from the server, update the identity object, and then resolve.
Account.get().$promise
.then(function (account) {
if(account.data.login === "anonymousUser"){
_identity = null;
_authenticated = false;
deferred.resolve(_identity);
}else {
_identity = account.data;
_authenticated = true;
deferred.resolve(_identity);
}
})
.catch(function() {
_identity = null;
_authenticated = false;
deferred.resolve(_identity);
});

Please let me know if ok and i'll submit a pull request.

Thanks,
Mihai

[deepu105]

yes plz do PR

[mihaisimi]

Also made the /api/account a permitAll service. We are calling this for anon. users so it makes sense to allow it.

[jdubois]

I'm closing this with reference to #2623

The NPE is thrown by a modification in the code that was generated, so this is not a JHipster issue. The whole idea of securing this API, is that no anonymous user access it, so this NPE can't happen under normal circonstances.

Of course, you can disagree with our current design of sending a 401 error code when an unauthorized user access the page, and for that your best option is of course to modify the generated code, and probably do a switch in your code to handle the specific case of using an anonymousUser.