Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8263899

HttpClient throws NPE in AuthenticationFilter when parsing www-authenticate head

XMLWordPrintable

    • b15
    • generic
    • generic

      A DESCRIPTION OF THE PROBLEM :
      When java.net.HttpClient receives the 401 response which contains an empty www-authenticate header, it breaks in an unrecoverable way (NPE is thrown). Instead, it should ignore such invalid header (treat it the same way as any unsupported authentication scheme) and let the client code handle it.

      In theory, the 401 response should contain the www-authenticate header, and this header value should contain the suggested authentication method. However, we happened to be talking to a service which was buggy and suddenly returned the www-authenticate response header with empty value. This is not a valid header value, but we should be able to recover from it, and be able to parse response data in the client code. Currently the HttpClient just throws exception and we are not able to recover.
      Also, we have not found any workaround, becasue it is an internal code.

      The exception is thrown by the line 276 injdk.internal.net.http.AuthenticationFilter :
      if (!scheme.equalsIgnoreCase("Basic")) {

      In this case, the "scheme" is null, whicih cases NPE.

      The java code is only able to handle "Basic" authentication type, all other values are ignored anyway, so empty value should also be ignored.

      The fix is trivial, either flip the comparision order, to this:
      if (!"Basic".equalsIgnoreCase(scheme)) { return null; }

      Or add null check:
      if (scheme == null || !scheme.equalsIgnoreCase("Basic")) { return null; }


      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      Send the http request to an endpoint, using this code:
      HttpClient.newHttpClient().send(request)
      The endpoint should return the response with status 401 and with empty "www-authenticate" header (header with empty value). This will cause NPE inside AuthenticationFilter

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      The invalid response header should be ignored (i.e., treated that same way as any other unsupported authentication scheme)
      ACTUAL -
      The header causes the NPE, later wrapped inside IOException. Client is not able to recover nor access the response data.

      CUSTOMER SUBMITTED WORKAROUND :
      Did not found any workaround for this issue.

            michaelm Michael McMahon
            webbuggrp Webbug Group
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: