Spring Security
  1. Spring Security
  2. SEC-1280

NullPointerException in PersistentTokenBasedRememberMeServices when logging out twice

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 3.0.0 RC1
    • Fix Version/s: 3.0.0.RC2
    • Component/s: None
    • Labels:
      None

      Description

      When remember-me is enabled in Spring Security 3.0.0 RC1, a user who attempts to log out when not already logged in will cause a NullPointerException - and probably receive a blank page as a result.

      The exception is:

      ava.lang.NullPointerException
      at org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices.logout(PersistentTokenBasedRememberMeServices.java:145)
      at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:98)
      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
      at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80)
      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
      at org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:110)
      at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
      at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:150)
      at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
      at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      [...]

      Logout works fine if the user is already logged in, the exception only occurs if the user is not logged in.

      Obviously a well-designed web application doesn't show a logout link when no-one is logged in, which mitigatges the problem. However it does affect users who open multiple windows - and then log out from two or more of them.

        Activity

        Hide
        Nickolay Mazurkin added a comment -

        Yes, I have the same issue.

        The problem happens when authentication parameter is null, so authentication.getName() raises an NullPointerException

        [code]
        public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication)

        { super.logout(request, response, authentication); tokenRepository.removeUserTokens(authentication.getName()); }

        [/code]

        I think that a proper check should be implementer in LogoutFilter and/or in PersistentTokenBasedRememberMeServices

        Show
        Nickolay Mazurkin added a comment - Yes, I have the same issue. The problem happens when authentication parameter is null, so authentication.getName() raises an NullPointerException [code] public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) { super.logout(request, response, authentication); tokenRepository.removeUserTokens(authentication.getName()); } [/code] I think that a proper check should be implementer in LogoutFilter and/or in PersistentTokenBasedRememberMeServices
        Hide
        Luke Taylor added a comment -

        Thanks for the report guys. Fix should be straightforward.

        Show
        Luke Taylor added a comment - Thanks for the report guys. Fix should be straightforward.
        Hide
        Luke Taylor added a comment -

        I've added a null check in the logout method of PersistentTokenBasedRememberMeServices.

        Show
        Luke Taylor added a comment - I've added a null check in the logout method of PersistentTokenBasedRememberMeServices.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Charles Gutjahr
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: