SEC-1820: NPE in OpenID4JavaConsumer.fetchAxAttributes #2050

Closed
spring-issuemaster opened this Issue Sep 20, 2011 · 8 comments

1 participant

@spring-issuemaster

Kees de Kooter (Migrated from SEC-1820) said:

I am not sure what more details I need to provide - please let me know.

java.lang.NullPointerException
    org.springframework.security.openid.OpenID4JavaConsumer.fetchAxAttributes(OpenID4JavaConsumer.java:205)
    org.springframework.security.openid.OpenID4JavaConsumer.endConsumption(OpenID4JavaConsumer.java:184)
    org.springframework.security.openid.OpenIDAuthenticationFilter.attemptAuthentication(OpenIDAuthenticationFilter.java:143)
    org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
    org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
    org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
    org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
    org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:175)
    org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
    org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
@spring-issuemaster

Luke Taylor said:

Looks like a problem with attribute fetching (I'm guessing you aren't specifying any attributes?)

I've added a null check which should cater for this case. Please try with a nightly build.

@spring-issuemaster

Kees de Kooter said:

These are the ones I am trying to fetch:

        <attribute-exchange>
            <openid-attribute name="email" type="http://axschema.org/contact/email" required="true" count="1"/>
            <openid-attribute name="firstname" type="http://axschema.org/namePerson/first" required="true" />
            <openid-attribute name="lastname" type="http://axschema.org/namePerson/last" required="true" />
            <openid-attribute name="language" type="http://axschema.org/pref/language" required="true" />
            <openid-attribute name="gender" type="http://axschema.org/gender" required="true" />
            <openid-attribute name="image" type="http://axschema.org/media/image/default" required="true" />
        </attribute-exchange>
@spring-issuemaster

Kees de Kooter said:

Would setting required to false make a difference?

@spring-issuemaster

Luke Taylor said:

No. Please explain whether the problem is intermittent or reproducible. And please try with the latest release (RC3) so that the stacktrace matches the current source.

@spring-issuemaster

Kees de Kooter said:

Looks like it is intermittent. With RC3 I am bumping into SEC-1815.
Will try to find some time to test with the nightlies.

@spring-issuemaster

Luke Taylor said:

You can easily workaround SEC-1815 by using the 4.1.1 HttpClient jar file.

@spring-issuemaster

Luke Taylor said:

Could you clarify whether this is still a problem with the current snapshots?

@spring-issuemaster

Luke Taylor said:

No further input, so assuming that the null check fixed the issue.

@spring-issuemaster spring-issuemaster added this to the 3.1.0 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment