SEC-1807: logout success failed on tomcat due to NPE #2039

Closed
spring-issuemaster opened this Issue Aug 31, 2011 · 6 comments

Projects

None yet

1 participant

@spring-issuemaster

Ludovic Praud (Migrated from SEC-1807) said:

Due to issue SEC-1762, the targetUrlParameter is default set to null in SimpleUrlLogoutSuccessHandler constructor. When login out on tomcat 6, it throws NPE because it uses java.util.Hashtable which does not allow retrieving value with a null key.
There is no problem on jetty-7 because it uses org.eclipse.jetty.util.MultiMap which allows null.

Work around : revert to spring-security-3.0.5

The problem is also that is cannot found anywhere the responsible commit. The 3.0.6 exists in maven repo but nowhere released in JIRA or GIT. Very strange !

java.lang.NullPointerException java.util.Hashtable.get(Hashtable.java:334) org.apache.tomcat.util.http.Parameters.getParameterValues(Parameters.java:195) org.apache.tomcat.util.http.Parameters.getParameter(Parameters.java:240) org.apache.catalina.connector.Request.getParameter(Request.java:1065) org.apache.catalina.connector.RequestFacade.getParameter(RequestFacade.java:355) javax.servlet.ServletRequestWrapper.getParameter(ServletRequestWrapper.java:158) org.springframework.security.web.authentication.AbstractAuthenticationTargetUrlRequestHandler.determineTargetUrl(AbstractAuthenticationTargetUrlRequestHandler.java:86) org.springframework.security.web.authentication.AbstractAuthenticationTargetUrlRequestHandler.handle(AbstractAuthenticationTargetUrlRequestHandler.java:67) org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler.onLogoutSuccess(SimpleUrlLogoutSuccessHandler.java:28) org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:100) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381) org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79) org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381) org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:168) org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237) org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77) org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88) org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
@spring-issuemaster

Ludovic Praud said:

Sorry but the SEC-1762 issue has nothing to do with this.

@spring-issuemaster

Roger Pfister said:

I have hit this too, as will anyone churning out a baisc 'ROO security' app and then switching to framework 3.0.6

Of course it also breaks on - VMware vFabric tc Server - which incoporates tomcat.

@spring-issuemaster

Stefan Gybas said:

It also breaks on WebSphere 7:

Caused by: java.lang.NullPointerException
at java.util.Hashtable.get(Hashtable.java:518)
at com.ibm.ws.webcontainer.srt.SRTServletRequest.getParameter(SRTServletRequest.java:1520)
at javax.servlet.ServletRequestWrapper.getParameter(ServletRequestWrapper.java:169)
at org.springframework.security.web.authentication.AbstractAuthenticationTargetUrlRequestHandler.determineTargetUrl(AbstractAuthenticationTargetUrlRequestHandler.java:86)
at org.springframework.security.web.authentication.AbstractAuthenticationTargetUrlRequestHandler.handle(AbstractAuthenticationTargetUrlRequestHandler.java:67)
at org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler.onLogoutSuccess(SimpleUrlLogoutSuccessHandler.java:28)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:100)
...

We also went back to 3.0.5.

@spring-issuemaster

Oliver Siegmar said:

Same here with Tomcat 7.0.21

@spring-issuemaster

Eugen Paraschiv said:

Same on JBoss, which uses Tomcat. Also, I can confirm that moving from 3.0.6 to 3.0.7 does indeed resolve the issue.

@spring-issuemaster

This issue duplicates #2035

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment