Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JPA Form Based Authentication throws NullPointerException if username is incorrect #11868

Closed
webfolderio opened this issue Sep 3, 2020 · 0 comments · Fixed by #11878
Closed

JPA Form Based Authentication throws NullPointerException if username is incorrect #11868

webfolderio opened this issue Sep 3, 2020 · 0 comments · Fixed by #11878
Labels
area/security kind/bug Something isn't working
Milestone
1.7.3.Final

Comments

@webfolderio
Copy link

webfolderio commented Sep 3, 2020
edited
Loading

Describe the bug
Form based JPA authentication throws NullPointerException if username is incorrect.

Expected behavior
Quarkus should be return HTTP 403.

Actual behavior
Quarkus returns HTTP 500 and throws NullPointerException.

java.lang.NullPointerException
	at io.quarkus.vertx.http.runtime.security.PersistentLoginManager.save(PersistentLoginManager.java:118)
	at io.quarkus.vertx.http.runtime.security.FormAuthenticationMechanism$1$1$1.accept(FormAuthenticationMechanism.java:78)
	at io.quarkus.vertx.http.runtime.security.FormAuthenticationMechanism$1$1$1.accept(FormAuthenticationMechanism.java:74)
	at io.smallrye.mutiny.helpers.UniCallbackSubscriber.onItem(UniCallbackSubscriber.java:68)
	at io.smallrye.mutiny.context.ContextPropagationUniInterceptor$1.lambda$onItem$1(ContextPropagationUniInterceptor.java:35)
	at io.smallrye.context.SmallRyeThreadContext.lambda$withContext$0(SmallRyeThreadContext.java:217)
	at io.smallrye.mutiny.context.ContextPropagationUniInterceptor$1.onItem(ContextPropagationUniInterceptor.java:35)
	at io.smallrye.mutiny.operators.UniSerializedSubscriber.onItem(UniSerializedSubscriber.java:72)
	at io.smallrye.mutiny.context.ContextPropagationUniInterceptor$1.lambda$onItem$1(ContextPropagationUniInterceptor.java:35)
	at io.smallrye.context.SmallRyeThreadContext.lambda$withContext$0(SmallRyeThreadContext.java:217)
	at io.smallrye.mutiny.context.ContextPropagationUniInterceptor$1.onItem(ContextPropagationUniInterceptor.java:35)
	at io.smallrye.mutiny.operators.UniSerializedSubscriber.onItem(UniSerializedSubscriber.java:72)
	at io.smallrye.mutiny.context.ContextPropagationUniInterceptor$1.lambda$onItem$1(ContextPropagationUniInterceptor.java:35)
	at io.smallrye.context.SmallRyeThreadContext.lambda$withContext$0(SmallRyeThreadContext.java:217)
	at io.smallrye.mutiny.context.ContextPropagationUniInterceptor$1.onItem(ContextPropagationUniInterceptor.java:35)
	at io.smallrye.mutiny.operators.UniSerializedSubscriber.onItem(UniSerializedSubscriber.java:72)
	at io.smallrye.mutiny.context.ContextPropagationUniInterceptor$1.lambda$onItem$1(ContextPropagationUniInterceptor.java:35)
	at io.smallrye.context.SmallRyeThreadContext.lambda$withContext$0(SmallRyeThreadContext.java:217)
	at io.smallrye.mutiny.context.ContextPropagationUniInterceptor$1.onItem(ContextPropagationUniInterceptor.java:35)
	at io.smallrye.mutiny.operators.UniSerializedSubscriber.onItem(UniSerializedSubscriber.java:72)
	at io.smallrye.mutiny.operators.DefaultUniEmitter.complete(DefaultUniEmitter.java:36)
	at io.quarkus.security.runtime.QuarkusIdentityProviderManagerImpl$1$1$1$1.run(QuarkusIdentityProviderManagerImpl.java:58)
	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:2046)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1578)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1452)
	at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
	at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
	at java.base/java.lang.Thread.run(Thread.java:832)
	at org.jboss.threads.JBossThread.run(JBossThread.java:479)

To Reproduce
Steps to reproduce the behavior:

  1. git clone https://github.com/webfolderio/quarkus-quickstarts
  2. cd quarkus-quickstarts/security-jpa-quickstart
  3. mvn test

Configuration

quarkus.datasource.url=jdbc:postgresql:elytron_security_jpa
quarkus.datasource.driver=org.postgresql.Driver
quarkus.datasource.username=quarkus
quarkus.datasource.password=quarkus

quarkus.hibernate-orm.database.generation=drop-and-create

quarkus.http.auth.form.enabled=true

quarkus.log.category."io.quarkus".level=INFO
quarkus.log.category."org.hibernate.SQL".level=DEBUG

Environment (please complete the following information):

  • Output of uname -a or ver:
Microsoft Windows [Version 10.0.19041.450]
  • Output of java -version:
java version "12.0.1" 2019-04-16
Java(TM) SE Runtime Environment (build 12.0.1+12)
Java HotSpot(TM) 64-Bit Server VM (build 12.0.1+12, mixed mode, sharing)

  • Quarkus version or git rev:
    1.7.2.Final

  • Build tool (ie. output of mvnw --version or gradlew --version):

Apache Maven 3.6.3 (cecedd343002696d0abb50b32b541b8a6ba2883f)
Maven home: C:\maven\bin\..
Java version: 12.0.1, vendor: Oracle Corporation, runtime: C:\java\jdk-12.0.1
Default locale: en_US, platform encoding: utf-8
OS name: "windows 10", version: "10.0", arch: "amd64", family: "windows"

Additional context

FormAuthJpaTestCase.java tests only happy path. It will nice to test when username is not exist.

If username is incorrect, generated byte code returns null. It will better to throw exception instead of returning null.
QuarkusSecurityJpaProcessor.java#L172
@webfolderio webfolderio added the kind/bug Something isn't working label Sep 3, 2020
geoand added a commit to geoand/quarkus that referenced this issue Sep 4, 2020
@geoand
Fix NPE when combining security-jpa with form auth
3cec89c 
Fixes: quarkusio#11868
@geoand geoand mentioned this issue Sep 4, 2020
Merged
geoand added a commit that referenced this issue Sep 4, 2020
@geoand
Merge pull request #11878 from geoand/#11868
de4f345 
Fix NPE when combining security-jpa with form auth
@gsmet gsmet added this to the 1.8.0.Final milestone Sep 4, 2020
gsmet pushed a commit to gsmet/quarkus that referenced this issue Sep 4, 2020
@geoand @gsmet
Fix NPE when combining security-jpa with form auth
6a2c508 
Fixes: quarkusio#11868
@gsmet gsmet modified the milestones: 1.8.0.Final, 1.7.3.Final Sep 8, 2020
gsmet pushed a commit to gsmet/quarkus that referenced this issue Sep 8, 2020
@geoand @gsmet
Fix NPE when combining security-jpa with form auth
692651d 
Fixes: quarkusio#11868
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security kind/bug Something isn't working
Projects
None yet
Milestone
1.7.3.Final
Development

Successfully merging a pull request may close this issue.

Fix NPE when combining security-jpa with form auth geoand/quarkus
3 participants
@gsmet @geoand @webfolderio