Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8043252

Debug of access control is obfuscated - NullPointerException in ProtectionDomain

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: P4 P4
    • 9
    • 8, 9
    • security-libs
    • b147
    • x86_64
    • linux

      FULL PRODUCT VERSION :
      JDK 1.7.0_51
      JDK 1.8.0_5 ( visual confirmation of PD content )

      java -version
      java version "1.7.0_51"
      Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
      Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)



      ADDITIONAL OS VERSION INFORMATION :
      Linux port2 3.8.0-34-generic #49-Ubuntu SMP Tue Nov 12 18:00:10 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

      A DESCRIPTION OF THE PROBLEM :
      If debug is configured when security is enabled upon access failure there will be NPE, instead of PD, CodeBase and permissions dump.
      This is a bit tricky. Permission JDOC state that " Subclasses should always return actions in what they consider to be their canonical form. " THere is no 'null' in "Returns". However some Permission impl loose this constraint, for instance WebUserDataPermission, where getActions has "a String containing the canonicalized actions of this WebUserDataPermission (or the null value)."

      If WebUserDataPermission is in call stack, ProtectionDomain will throw NPE ~L#420 where this piece of code is run: 'pdpActions.equals(pp.getActions())'

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      This probably is reproducible in many ways, may scenario:
      1. setup web container with insuficient permission
      2. deploy JSP, which does something it does not have permissions for
      3. access JSP

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      See ProtectionDomain dump.
      ACTUAL -
      access failure and NullPointerException, without ProtectionDomain dump.

      ERROR MESSAGES/STACK TRACES THAT OCCUR :
      Exception handling request to /read-props/index.jsp: org.apache.jasper.JasperException: java.lang.NullPointerException
      at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:410) [jastow-1.0.0.Final.jar:1.0.0.Final]
      at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:326) [jastow-1.0.0.Final.jar:1.0.0.Final]
      at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:259) [jastow-1.0.0.Final.jar:1.0.0.Final]
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
      at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
      at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
      at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
      at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
      at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.10.Final.jar:1.0.10.Final]
      at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:113) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
      at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
      at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.0.10.Final.jar:1.0.10.Final]
      at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
      at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.0.10.Final.jar:1.0.10.Final]
      at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
      at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.0.10.Final.jar:1.0.10.Final]
      at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.10.Final.jar:1.0.10.Final]
      at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
      at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.10.Final.jar:1.0.10.Final]
      at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.10.Final.jar:1.0.10.Final]
      at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
      at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
      at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
      at io.undertow.servlet.handlers.ServletInitialHandler$1$1.run(ServletInitialHandler.java:152) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
      at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_51]
      at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:149) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
      at io.undertow.server.Connectors.executeRootHandler(Connectors.java:168) [undertow-core-1.0.10.Final.jar:1.0.10.Final]
      at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) [undertow-core-1.0.10.Final.jar:1.0.10.Final]
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_51]
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_51]
      at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51]
      Caused by: java.lang.NullPointerException
      at java.security.ProtectionDomain.mergePermissions(ProtectionDomain.java:420) [rt.jar:1.7.0_51]
      at java.security.ProtectionDomain.toString(ProtectionDomain.java:308) [rt.jar:1.7.0_51]
      at java.lang.String.valueOf(String.java:2854) [rt.jar:1.7.0_51]
      at java.lang.StringBuilder.append(StringBuilder.java:128) [rt.jar:1.7.0_51]
      at java.security.AccessControlContext$1.run(AccessControlContext.java:367) [rt.jar:1.7.0_51]
      at java.security.AccessControlContext$1.run(AccessControlContext.java:365) [rt.jar:1.7.0_51]
      at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_51]
      at java.security.AccessControlContext.checkPermission(AccessControlContext.java:365) [rt.jar:1.7.0_51]
      at java.security.AccessController.checkPermission(AccessController.java:559) [rt.jar:1.7.0_51]
      at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) [rt.jar:1.7.0_51]
      at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1298) [rt.jar:1.7.0_51]
      at java.lang.System.getProperty(System.java:708) [rt.jar:1.7.0_51]
      at org.apache.jsp.index_jsp._jspService(index_jsp.java:59)
      at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:69) [jastow-1.0.0.Final.jar:1.0.0.Final]
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
      at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:366) [jastow-1.0.0.Final.jar:1.0.0.Final]
      ... 30 more

      REPRODUCIBILITY :
      This bug can be reproduced always.

            jnimeh Jamil Nimeh
            webbuggrp Webbug Group
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: