SEC-1803: SimpleUrlLogoutSuccessHandler no-arg constructor produces NPE in AbstractAuthenticationTargetUrlRequestHandler #2035

Closed
spring-issuemaster opened this Issue Aug 23, 2011 · 2 comments

1 participant

@spring-issuemaster

Alexander Franken (Migrated from SEC-1803) said:

After the springframework 3.0.6.RELEASE announcement, I went looking and saw that spring security 3.0.6 was available in maven central. Using these artifacts, I ran into an NPE that occurs within the logout filters.

It appears that since 3.0.5, there was a no-arg constructor added to SimpleUrlLogoutSuccessHandler, which sets the targetUrlParameter to null.

    public SimpleUrlLogoutSuccessHandler() {
        super.setTargetUrlParameter(null);
    }

The setter trumps the default of "spring-security-redirect" and replaces the default as null. Then, in AbstractAuthenticationTargetUrlRequestHandler, the following call produces the NPE (key targetUrlParameter is null).

        // Check for the parameter and use that if available
        String targetUrl = request.getParameter(targetUrlParameter);

Stack

java.lang.NullPointerException
    at java.util.Hashtable.get(Hashtable.java:334)
    at org.apache.tomcat.util.http.Parameters.getParameterValues(Parameters.java:193)
    at org.apache.tomcat.util.http.Parameters.getParameter(Parameters.java:238)
    at org.apache.catalina.connector.Request.getParameter(Request.java:1007)
    at org.apache.catalina.connector.RequestFacade.getParameter(RequestFacade.java:353)
    at javax.servlet.ServletRequestWrapper.getParameter(ServletRequestWrapper.java:158)
    at org.springframework.security.web.authentication.AbstractAuthenticationTargetUrlRequestHandler.determineTargetUrl(AbstractAuthenticationTargetUrlRequestHandler.java:86)
    at org.springframework.security.web.authentication.AbstractAuthenticationTargetUrlRequestHandler.handle(AbstractAuthenticationTargetUrlRequestHandler.java:67)
    at org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler.onLogoutSuccess(SimpleUrlLogoutSuccessHandler.java:28)
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:100)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:168)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874)
    at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
    at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
    at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
    at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
    at java.lang.Thread.run(Thread.java:662)

Would it be reasonable to revert setting the defaultTargetUrl to null within the no-arg constructor?

@spring-issuemaster

Alexander Franken said:

Just in case someone runs into this, an easy work-around is to re-set the default after instantiation.

            <bean class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler">
                <property name="targetUrlParameter">
                    <util:constant static-field="org.springframework.security.web.authentication.AbstractAuthenticationTargetUrlRequestHandler.DEFAULT_TARGET_PARAMETER"/>
                </property>
            </bean>
@spring-issuemaster

Luke Taylor said:

Thanks for the report. The problem was due to changes for SEC-1790 which removed support for the redirect parameter for logouts. Unfortunately this resulted in a null key lookup which worked in Jetty (and hence the integration tests) but not in Tomcat or other containers.

@spring-issuemaster spring-issuemaster added this to the 3.0.7 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment