-
Bug
-
Resolution: Fixed
-
P4
-
8, 9
-
b147
-
x86_64
-
linux
FULL PRODUCT VERSION :
JDK 1.7.0_51
JDK 1.8.0_5 ( visual confirmation of PD content )
java -version
java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Linux port2 3.8.0-34-generic #49-Ubuntu SMP Tue Nov 12 18:00:10 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
A DESCRIPTION OF THE PROBLEM :
If debug is configured when security is enabled upon access failure there will be NPE, instead of PD, CodeBase and permissions dump.
This is a bit tricky. Permission JDOC state that " Subclasses should always return actions in what they consider to be their canonical form. " THere is no 'null' in "Returns". However some Permission impl loose this constraint, for instance WebUserDataPermission, where getActions has "a String containing the canonicalized actions of this WebUserDataPermission (or the null value)."
If WebUserDataPermission is in call stack, ProtectionDomain will throw NPE ~L#420 where this piece of code is run: 'pdpActions.equals(pp.getActions())'
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
This probably is reproducible in many ways, may scenario:
1. setup web container with insuficient permission
2. deploy JSP, which does something it does not have permissions for
3. access JSP
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
See ProtectionDomain dump.
ACTUAL -
access failure and NullPointerException, without ProtectionDomain dump.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Exception handling request to /read-props/index.jsp: org.apache.jasper.JasperException: java.lang.NullPointerException
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:410) [jastow-1.0.0.Final.jar:1.0.0.Final]
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:326) [jastow-1.0.0.Final.jar:1.0.0.Final]
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:259) [jastow-1.0.0.Final.jar:1.0.0.Final]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.10.Final.jar:1.0.10.Final]
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:113) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.0.10.Final.jar:1.0.10.Final]
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.0.10.Final.jar:1.0.10.Final]
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.0.10.Final.jar:1.0.10.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.10.Final.jar:1.0.10.Final]
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.10.Final.jar:1.0.10.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.10.Final.jar:1.0.10.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
at io.undertow.servlet.handlers.ServletInitialHandler$1$1.run(ServletInitialHandler.java:152) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_51]
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:149) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:168) [undertow-core-1.0.10.Final.jar:1.0.10.Final]
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) [undertow-core-1.0.10.Final.jar:1.0.10.Final]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_51]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_51]
at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51]
Caused by: java.lang.NullPointerException
at java.security.ProtectionDomain.mergePermissions(ProtectionDomain.java:420) [rt.jar:1.7.0_51]
at java.security.ProtectionDomain.toString(ProtectionDomain.java:308) [rt.jar:1.7.0_51]
at java.lang.String.valueOf(String.java:2854) [rt.jar:1.7.0_51]
at java.lang.StringBuilder.append(StringBuilder.java:128) [rt.jar:1.7.0_51]
at java.security.AccessControlContext$1.run(AccessControlContext.java:367) [rt.jar:1.7.0_51]
at java.security.AccessControlContext$1.run(AccessControlContext.java:365) [rt.jar:1.7.0_51]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_51]
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:365) [rt.jar:1.7.0_51]
at java.security.AccessController.checkPermission(AccessController.java:559) [rt.jar:1.7.0_51]
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) [rt.jar:1.7.0_51]
at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1298) [rt.jar:1.7.0_51]
at java.lang.System.getProperty(System.java:708) [rt.jar:1.7.0_51]
at org.apache.jsp.index_jsp._jspService(index_jsp.java:59)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:69) [jastow-1.0.0.Final.jar:1.0.0.Final]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:366) [jastow-1.0.0.Final.jar:1.0.0.Final]
... 30 more
REPRODUCIBILITY :
This bug can be reproduced always.
JDK 1.7.0_51
JDK 1.8.0_5 ( visual confirmation of PD content )
java -version
java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Linux port2 3.8.0-34-generic #49-Ubuntu SMP Tue Nov 12 18:00:10 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
A DESCRIPTION OF THE PROBLEM :
If debug is configured when security is enabled upon access failure there will be NPE, instead of PD, CodeBase and permissions dump.
This is a bit tricky. Permission JDOC state that " Subclasses should always return actions in what they consider to be their canonical form. " THere is no 'null' in "Returns". However some Permission impl loose this constraint, for instance WebUserDataPermission, where getActions has "a String containing the canonicalized actions of this WebUserDataPermission (or the null value)."
If WebUserDataPermission is in call stack, ProtectionDomain will throw NPE ~L#420 where this piece of code is run: 'pdpActions.equals(pp.getActions())'
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
This probably is reproducible in many ways, may scenario:
1. setup web container with insuficient permission
2. deploy JSP, which does something it does not have permissions for
3. access JSP
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
See ProtectionDomain dump.
ACTUAL -
access failure and NullPointerException, without ProtectionDomain dump.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Exception handling request to /read-props/index.jsp: org.apache.jasper.JasperException: java.lang.NullPointerException
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:410) [jastow-1.0.0.Final.jar:1.0.0.Final]
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:326) [jastow-1.0.0.Final.jar:1.0.0.Final]
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:259) [jastow-1.0.0.Final.jar:1.0.0.Final]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.10.Final.jar:1.0.10.Final]
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:113) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.0.10.Final.jar:1.0.10.Final]
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.0.10.Final.jar:1.0.10.Final]
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.0.10.Final.jar:1.0.10.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.10.Final.jar:1.0.10.Final]
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.10.Final.jar:1.0.10.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.10.Final.jar:1.0.10.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
at io.undertow.servlet.handlers.ServletInitialHandler$1$1.run(ServletInitialHandler.java:152) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_51]
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:149) [undertow-servlet-1.0.10.Final.jar:1.0.10.Final]
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:168) [undertow-core-1.0.10.Final.jar:1.0.10.Final]
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) [undertow-core-1.0.10.Final.jar:1.0.10.Final]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_51]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_51]
at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51]
Caused by: java.lang.NullPointerException
at java.security.ProtectionDomain.mergePermissions(ProtectionDomain.java:420) [rt.jar:1.7.0_51]
at java.security.ProtectionDomain.toString(ProtectionDomain.java:308) [rt.jar:1.7.0_51]
at java.lang.String.valueOf(String.java:2854) [rt.jar:1.7.0_51]
at java.lang.StringBuilder.append(StringBuilder.java:128) [rt.jar:1.7.0_51]
at java.security.AccessControlContext$1.run(AccessControlContext.java:367) [rt.jar:1.7.0_51]
at java.security.AccessControlContext$1.run(AccessControlContext.java:365) [rt.jar:1.7.0_51]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_51]
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:365) [rt.jar:1.7.0_51]
at java.security.AccessController.checkPermission(AccessController.java:559) [rt.jar:1.7.0_51]
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) [rt.jar:1.7.0_51]
at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1298) [rt.jar:1.7.0_51]
at java.lang.System.getProperty(System.java:708) [rt.jar:1.7.0_51]
at org.apache.jsp.index_jsp._jspService(index_jsp.java:59)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:69) [jastow-1.0.0.Final.jar:1.0.0.Final]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:366) [jastow-1.0.0.Final.jar:1.0.0.Final]
... 30 more
REPRODUCIBILITY :
This bug can be reproduced always.