Spring Security
  1. Spring Security
  2. SEC-1807

logout success failed on tomcat due to NPE

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Duplicate
    • Affects Version/s: 3.0.6
    • Fix Version/s: None
    • Component/s: Web
    • Labels:
      None
    • Environment:
      tomcat 6

      Description

      Due to issue SEC-1762, the targetUrlParameter is default set to null in SimpleUrlLogoutSuccessHandler constructor. When login out on tomcat 6, it throws NPE because it uses java.util.Hashtable which does not allow retrieving value with a null key.
      There is no problem on jetty-7 because it uses org.eclipse.jetty.util.MultiMap which allows null.

      Work around : revert to spring-security-3.0.5

      The problem is also that is cannot found anywhere the responsible commit. The 3.0.6 exists in maven repo but nowhere released in JIRA or GIT. Very strange !

      <code>
      java.lang.NullPointerException
      java.util.Hashtable.get(Hashtable.java:334)
      org.apache.tomcat.util.http.Parameters.getParameterValues(Parameters.java:195)
      org.apache.tomcat.util.http.Parameters.getParameter(Parameters.java:240)
      org.apache.catalina.connector.Request.getParameter(Request.java:1065)
      org.apache.catalina.connector.RequestFacade.getParameter(RequestFacade.java:355)
      javax.servlet.ServletRequestWrapper.getParameter(ServletRequestWrapper.java:158)
      org.springframework.security.web.authentication.AbstractAuthenticationTargetUrlRequestHandler.determineTargetUrl(AbstractAuthenticationTargetUrlRequestHandler.java:86)
      org.springframework.security.web.authentication.AbstractAuthenticationTargetUrlRequestHandler.handle(AbstractAuthenticationTargetUrlRequestHandler.java:67)
      org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler.onLogoutSuccess(SimpleUrlLogoutSuccessHandler.java:28)
      org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:100)
      org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
      org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
      org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
      org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:168)
      org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
      org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
      org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77)
      org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
      org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
      org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
      </code>

        Issue Links

          Activity

          Hide
          Ludovic Praud added a comment -

          Sorry but the SEC-1762 issue has nothing to do with this.

          Show
          Ludovic Praud added a comment - Sorry but the SEC-1762 issue has nothing to do with this.
          Hide
          Roger Pfister added a comment -

          I have hit this too, as will anyone churning out a baisc 'ROO security' app and then switching to framework 3.0.6

          Of course it also breaks on - VMware vFabric tc Server - which incoporates tomcat.

          Show
          Roger Pfister added a comment - I have hit this too, as will anyone churning out a baisc 'ROO security' app and then switching to framework 3.0.6 Of course it also breaks on - VMware vFabric tc Server - which incoporates tomcat.
          Hide
          Stefan Gybas added a comment -

          It also breaks on WebSphere 7:

          Caused by: java.lang.NullPointerException
          at java.util.Hashtable.get(Hashtable.java:518)
          at com.ibm.ws.webcontainer.srt.SRTServletRequest.getParameter(SRTServletRequest.java:1520)
          at javax.servlet.ServletRequestWrapper.getParameter(ServletRequestWrapper.java:169)
          at org.springframework.security.web.authentication.AbstractAuthenticationTargetUrlRequestHandler.determineTargetUrl(AbstractAuthenticationTargetUrlRequestHandler.java:86)
          at org.springframework.security.web.authentication.AbstractAuthenticationTargetUrlRequestHandler.handle(AbstractAuthenticationTargetUrlRequestHandler.java:67)
          at org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler.onLogoutSuccess(SimpleUrlLogoutSuccessHandler.java:28)
          at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:100)
          ...

          We also went back to 3.0.5.

          Show
          Stefan Gybas added a comment - It also breaks on WebSphere 7: Caused by: java.lang.NullPointerException at java.util.Hashtable.get(Hashtable.java:518) at com.ibm.ws.webcontainer.srt.SRTServletRequest.getParameter(SRTServletRequest.java:1520) at javax.servlet.ServletRequestWrapper.getParameter(ServletRequestWrapper.java:169) at org.springframework.security.web.authentication.AbstractAuthenticationTargetUrlRequestHandler.determineTargetUrl(AbstractAuthenticationTargetUrlRequestHandler.java:86) at org.springframework.security.web.authentication.AbstractAuthenticationTargetUrlRequestHandler.handle(AbstractAuthenticationTargetUrlRequestHandler.java:67) at org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler.onLogoutSuccess(SimpleUrlLogoutSuccessHandler.java:28) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:100) ... We also went back to 3.0.5.
          Hide
          Oliver Siegmar added a comment -

          Same here with Tomcat 7.0.21

          Show
          Oliver Siegmar added a comment - Same here with Tomcat 7.0.21
          Hide
          Eugen Paraschiv added a comment -

          Same on JBoss, which uses Tomcat. Also, I can confirm that moving from 3.0.6 to 3.0.7 does indeed resolve the issue.

          Show
          Eugen Paraschiv added a comment - Same on JBoss, which uses Tomcat. Also, I can confirm that moving from 3.0.6 to 3.0.7 does indeed resolve the issue.

            People

            • Assignee:
              Luke Taylor
              Reporter:
              Ludovic Praud
            • Votes:
              3 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: