Skip to content

NPE from VaadinAwareSecurityContextHolderStrategy when logging out #910

New issue
New issue
Closed
#911
Closed
NPE from VaadinAwareSecurityContextHolderStrategy when logging out#910
#911
Labels
Impact: HighReleased with Platform 22.0.0.alpha7Severity: Majorbugprerelease version for platform 22.0.0
@Artur-

Description

@Artur-
Artur-
opened on Oct 4, 2021
java.lang.NullPointerException: Cannot invoke "com.vaadin.flow.server.WrappedSession.getAttribute(String)" because the return value of "com.vaadin.flow.server.VaadinSession.getSession()" is null
	at com.vaadin.flow.spring.security.VaadinAwareSecurityContextHolderStrategy.getFromVaadinSession(VaadinAwareSecurityContextHolderStrategy.java:71) ~[vaadin-spring-19.0.0.alpha2.jar:na]
	at com.vaadin.flow.spring.security.VaadinAwareSecurityContextHolderStrategy.getContext(VaadinAwareSecurityContextHolderStrategy.java:56) ~[vaadin-spring-19.0.0.alpha2.jar:na]
	at org.springframework.security.core.context.SecurityContextHolder.getContext(SecurityContextHolder.java:110) ~[spring-security-core-5.5.2.jar:5.5.2]
	at org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler.logout(SecurityContextLogoutHandler.java:72) ~[spring-security-web-5.5.2.jar:5.5.2]
	at com.example.application.security.AuthenticatedUser.logout(AuthenticatedUser.java:44) ~[classes/:na]
	at com.example.application.views.MainLayout.lambda$createHeaderContent$b71f5360$1(MainLayout.java:103) ~[classes/:na]
	at com.vaadin.flow.component.ComponentEventBus.fireEventForListener(ComponentEventBus.java:205) ~[flow-server-9.0.0.alpha7.jar:9.0.0.alpha7]
	at com.vaadin.flow.component.ComponentEventBus.handleDomEvent(ComponentEventBus.java:373) ~[flow-server-9.0.0.alpha7.jar:9.0.0.alpha7]
	at com.vaadin.flow.component.ComponentEventBus.lambda$addDomTrigger$dd1b7957$1(ComponentEventBus.java:264) ~[flow-server-9.0.0.alpha7.jar:9.0.0.alpha7]
	at com.vaadin.flow.internal.nodefeature.ElementListenerMap.lambda$fireEvent$2(ElementListenerMap.java:443) ~[flow-server-9.0.0.alpha7.jar:9.0.0.alpha7]
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1511) ~[na:na]

This comes from the code in SecurityContextHolder:

	public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
		Assert.notNull(request, "HttpServletRequest required");
		if (this.invalidateHttpSession) {
			HttpSession session = request.getSession(false);
			if (session != null) {
				session.invalidate();
				if (this.logger.isDebugEnabled()) {
					this.logger.debug(LogMessage.format("Invalidated session %s", session.getId()));
				}
			}
		}
		if (this.clearAuthentication) {
			SecurityContext context = SecurityContextHolder.getContext();
			context.setAuthentication(null);
		}
		SecurityContextHolder.clearContext();
	}

which first invalidates the session and then fetches the security context

Metadata

Metadata

Assignees

No one assigned

    Labels

    Impact: HighReleased with Platform 22.0.0.alpha7Severity: Majorbugprerelease version for platform 22.0.0

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions