Spring Security
  1. Spring Security
  2. SEC-1803

SimpleUrlLogoutSuccessHandler no-arg constructor produces NPE in AbstractAuthenticationTargetUrlRequestHandler

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 3.0.6
    • Fix Version/s: 3.0.7
    • Component/s: Web
    • Labels:
      None
    • Environment:
      org.springframework.security 3.0.6.RELEASE artifacts : search.maven.org / g:"org.springframework.security"

      Description

      After the springframework 3.0.6.RELEASE announcement, I went looking and saw that spring security 3.0.6 was available in maven central. Using these artifacts, I ran into an NPE that occurs within the logout filters.

      It appears that since 3.0.5, there was a no-arg constructor added to SimpleUrlLogoutSuccessHandler, which sets the targetUrlParameter to null.

          public SimpleUrlLogoutSuccessHandler() {
              super.setTargetUrlParameter(null);
          }
      

      The setter trumps the default of "spring-security-redirect" and replaces the default as null. Then, in AbstractAuthenticationTargetUrlRequestHandler, the following call produces the NPE (key targetUrlParameter is null).

              // Check for the parameter and use that if available
              String targetUrl = request.getParameter(targetUrlParameter);
      

      Stack

      java.lang.NullPointerException
      	at java.util.Hashtable.get(Hashtable.java:334)
      	at org.apache.tomcat.util.http.Parameters.getParameterValues(Parameters.java:193)
      	at org.apache.tomcat.util.http.Parameters.getParameter(Parameters.java:238)
      	at org.apache.catalina.connector.Request.getParameter(Request.java:1007)
      	at org.apache.catalina.connector.RequestFacade.getParameter(RequestFacade.java:353)
      	at javax.servlet.ServletRequestWrapper.getParameter(ServletRequestWrapper.java:158)
      	at org.springframework.security.web.authentication.AbstractAuthenticationTargetUrlRequestHandler.determineTargetUrl(AbstractAuthenticationTargetUrlRequestHandler.java:86)
      	at org.springframework.security.web.authentication.AbstractAuthenticationTargetUrlRequestHandler.handle(AbstractAuthenticationTargetUrlRequestHandler.java:67)
      	at org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler.onLogoutSuccess(SimpleUrlLogoutSuccessHandler.java:28)
      	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:100)
      	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
      	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
      	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
      	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:168)
      	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
      	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
      	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874)
      	at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
      	at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
      	at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
      	at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
      	at java.lang.Thread.run(Thread.java:662)
      

      Would it be reasonable to revert setting the defaultTargetUrl to null within the no-arg constructor?

        Issue Links

          Activity

          Hide
          Alexander Franken added a comment -

          Just in case someone runs into this, an easy work-around is to re-set the default after instantiation.

          		 	<bean class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler">
          		 		<property name="targetUrlParameter">
          		 			<util:constant static-field="org.springframework.security.web.authentication.AbstractAuthenticationTargetUrlRequestHandler.DEFAULT_TARGET_PARAMETER"/>
          		 		</property>
          			</bean>
          
          Show
          Alexander Franken added a comment - Just in case someone runs into this, an easy work-around is to re-set the default after instantiation. <bean class= "org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler" > <property name= "targetUrlParameter" > <util:constant static -field= "org.springframework.security.web.authentication.AbstractAuthenticationTargetUrlRequestHandler.DEFAULT_TARGET_PARAMETER" /> </property> </bean>
          Hide
          Luke Taylor added a comment -

          Thanks for the report. The problem was due to changes for SEC-1790 which removed support for the redirect parameter for logouts. Unfortunately this resulted in a null key lookup which worked in Jetty (and hence the integration tests) but not in Tomcat or other containers.

          Show
          Luke Taylor added a comment - Thanks for the report. The problem was due to changes for SEC-1790 which removed support for the redirect parameter for logouts. Unfortunately this resulted in a null key lookup which worked in Jetty (and hence the integration tests) but not in Tomcat or other containers.

            People

            • Assignee:
              Luke Taylor
              Reporter:
              Alexander Franken
            • Votes:
              3 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: