[SWS-972] SpringSecurityPasswordValidationCallbackHandler throws NPE when UserDetailsService does not find user Created: 29/Sep/16 Updated: 27/Oct/17 Resolved: 27/Oct/17
|Project:||Spring Web Services|
|Affects Version/s:||2.3.0, 3.0.0.RC1|
|Fix Version/s:||3.0.0.RELEASE, 2.4.2|
|Reporter:||Petr Dvorak||Assignee:||Greg Turnquist|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
OS: Mac OS X 10.12
I implemented UserDetailsService class like so:
Then, I use this service in the webservice configuration:
However, this code causes issues, because SpringSecurityPasswordValidationCallbackHandler.java contains:
Note that this is "wss4j2" - the code seems correct in "wss4j".
|Comment by Petr Dvorak [ 11/Jul/17 ]|
Sorry for the bump, but this issue is still present in 2.4.0 and it makes Spring-WS with basic username / password WS-Security pretty useless even in the most basic scenarios.
In case a user with provided username does not exist, the current code raises NPE that cannot be reasonably handled anywhere.
The issue is present only in wss4j2 version, not in wss4j. However, wss4j version is marked as deprecated and we would like to avoid having deprecated code in our projects.
|Comment by jaminh [ 17/Aug/17 ]|
Here is my attempt to fix this issue https://github.com/jaminh/spring-ws/tree/feature/SWS-972.
|Comment by jaminh [ 27/Oct/17 ]|
I have pull request for the 2.4 and 3.0 branches https://github.com/spring-projects/spring-ws/pull/104 and https://github.com/spring-projects/spring-ws/pull/103
|Comment by Greg Turnquist [ 27/Oct/17 ]|
Resolved! Thanks for the efforts to get this into both versions.