HomeSupportForumsCoreAuthentication

Authentication Caching and NPE potential bug?

Sun, 11/02/2008 - 3:23am — tmjee

Hey guys,

In SimpleAccountRealm

protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
UsernamePasswordToken upToken = (UsernamePasswordToken) token;
SimpleAccount account = (SimpleAccount) getAuthorizationCache().get(upToken.getUsername());
if (account.isLocked()) {
throw new LockedAccountException("Account [" + account + "] is locked.");
}
if (account.isCredentialsExpired()) {
String msg = "The credentials for account [" + account + "] are expired";
throw new ExpiredCredentialsException(msg);
}

return account;
}

It seems like it's pretty much depending on needing a cache, which probably means a CacheManager is required else we'll get NPE. However in CachingSecurityManager

protected void ensureCacheManager() {
CacheManager cm = getCacheManager();
if (cm == null) {
cm = createCacheManager();
if (cm != null) {
setCacheManager(cm);
}
}
}
protected CacheManager createCacheManager() {
CacheManager manager = null;

if (log.isDebugEnabled()) {
log.debug("Attempting to initialize default CacheManager using EhCache...");
}

try {
EhCacheManager ehCacheManager = new EhCacheManager();
ehCacheManager.init();
manager = ehCacheManager;
} catch (NoClassDefFoundError e) {
e.printStackTrace();
if (log.isDebugEnabled()) {
log.debug("Ehcache was not found in the classpath. A default EhCacheManager cannot be created.");
}
// Perhaps we should return new HashtableCacheManager() ??
}

return manager;
}

It seems like it allows a null cache manager, which is going to cause NPE, in SimpleAccountRealm. Perhaps the code that caches NoClassDefFoundError should try to find ehcache's cache manager's name in the error message cause if we forgotten the java concurrent util backport jar, but have the Ehcache jar in the classpath, the error message is still saying that ehcache jar is probably not there, but in fact it is, it's the java util concurrent backport that's missing. Or may be the error message could be changed a bit.

Just me 2 cents anyway.

‹ NullpointerException during incorrect authorization SimpleAuthenticationInfo.merge() NullPointerException ›
Sun, 11/02/2008 - 4:49am — tmjee

just remember another thing

just remember another thing :-)

In SimpleAccountRealm,

protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
UsernamePasswordToken upToken = (UsernamePasswordToken) token;
SimpleAccount account = (SimpleAccount) getAuthorizationCache().get(upToken.getUsername());

if (account.isLocked()) {
throw new LockedAccountException("Account [" + account + "] is locked.");
}
if (account.isCredentialsExpired()) {
String msg = "The credentials for account [" + account + "] are expired";
throw new ExpiredCredentialsException(msg);
}

return account;
}

Should we check for account nullity? eg. when a username supplied is null?


protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
UsernamePasswordToken upToken = (UsernamePasswordToken) token;
SimpleAccount account = (SimpleAccount) getAuthorizationCache().get(upToken.getUsername());

if (account == null) {
// such a username doesn't exists, maybe we'd throw IncorrectCredentialsException?
}
if (account.isLocked()) {
throw new LockedAccountException("Account [" + account + "] is locked.");
}
if (account.isCredentialsExpired()) {
String msg = "The credentials for account [" + account + "] are expired";
throw new ExpiredCredentialsException(msg);
}

return account;
}

I seems to be getting this :-


WARN (AbstractAuthenticator.java:159) - Authentication failed for token submission [org.jsecurity.authc.UsernamePasswordToken - asd, rememberMe=false (/127.0.0.1)]. Possible unexpected error? (Typical or expected login exceptions should extend from AuthenticationException).
java.lang.NullPointerException
at org.jsecurity.realm.SimpleAccountRealm.doGetAuthenticationInfo(SimpleAccountRealm.java:141)
at org.jsecurity.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:168)
at org.jsecurity.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:186)
at org.jsecurity.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:276)
at org.jsecurity.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:141)
at org.jsecurity.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:171)
at org.jsecurity.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:312)
at org.jsecurity.subject.DelegatingSubject.login(DelegatingSubject.java:237)
at org.jsecurity.web.filter.authc.AuthenticatingFilter.executeLogin(AuthenticatingFilter.java:49)
at org.jsecurity.web.filter.authc.FormAuthenticationFilter.onAccessDenied(FormAuthenticationFilter.java:148)
at org.jsecurity.web.filter.AccessControlFilter.onPreHandle(AccessControlFilter.java:145)
at org.jsecurity.web.filter.PathMatchingFilter.preHandle(PathMatchingFilter.java:175)
at org.jsecurity.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:129)
at org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
at org.jsecurity.web.servlet.FilterChainWrapper.doFilter(FilterChainWrapper.java:57)
at org.jsecurity.web.servlet.JSecurityFilter.doFilterInternal(JSecurityFilter.java:382)
at org.jsecurity.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:180)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:595)

when trying jSecurity out, could i might have configured it incorrectly?