SEC-1280: NullPointerException in PersistentTokenBasedRememberMeServices when logging out twice #1529

Closed
spring-issuemaster opened this Issue Oct 27, 2009 · 3 comments

1 participant

@spring-issuemaster

Charles Gutjahr (Migrated from SEC-1280) said:

When remember-me is enabled in Spring Security 3.0.0 RC1, a user who attempts to log out when not already logged in will cause a NullPointerException - and probably receive a blank page as a result.

The exception is:

ava.lang.NullPointerException
at org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices.logout(PersistentTokenBasedRememberMeServices.java:145)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:98)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
at org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:110)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:150)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[...]

Logout works fine if the user is already logged in, the exception only occurs if the user is not logged in.

Obviously a well-designed web application doesn't show a logout link when no-one is logged in, which mitigatges the problem. However it does affect users who open multiple windows - and then log out from two or more of them.

@spring-issuemaster

Nickolay Mazurkin said:

Yes, I have the same issue.

The problem happens when authentication parameter is null, so authentication.getName() raises an NullPointerException

[code]
public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
super.logout(request, response, authentication);
tokenRepository.removeUserTokens(authentication.getName());
}
[/code]

I think that a proper check should be implementer in LogoutFilter and/or in PersistentTokenBasedRememberMeServices

@spring-issuemaster

Luke Taylor said:

Thanks for the report guys. Fix should be straightforward.

@spring-issuemaster

Luke Taylor said:

I've added a null check in the logout method of PersistentTokenBasedRememberMeServices.

@spring-issuemaster spring-issuemaster added this to the 3.0.0.RC2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment