[Geoserver-devel] [JIRA] (GEOS-10419) NullPointerException from GeoServerOAuthAuthenticationFilter

Pascallike created an issue

GeoServer / BugGEOS-10419

NullPointerException from GeoServerOAuthAuthenticationFilter

Issue Type:

BugBug

Affects Versions:

2.20-RC

Assignee:

Unassigned

Components:

OAuth2

Created:

15/Mar/22 9:51 AM

Environment:

kartoza/geoserver with sec-oauth2-openid plugin

Priority:

LowLow

Reporter:

Pascallike

I’m getting this exception from WMS getMap requests when I’m trying to access a public layer with an anonymous user:

java.lang.NullPointerException
org.geoserver.security.oauth2.GeoServerOAuthAuthenticationFilter.doFilter(GeoServerOAuthAuthenticationFilter.java:134)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:71)
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
org.geoserver.security.filter.GeoServerSecurityContextPersistenceFilter$1.doFilter(GeoServerSecurityContextPersistenceFilter.java:52)
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:75)
org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:92)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
org.geoserver.security.GeoServerSecurityFilterChainProxy.doFilter(GeoServerSecurityFilterChainProxy.java:142)
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
org.geoserver.filters.LoggingFilter.doFilter(LoggingFilter.java:102)
org.geoserver.filters.XFrameOptionsFilter.doFilter(XFrameOptionsFilter.java:77)
org.geoserver.filters.GZIPFilter.doFilter(GZIPFilter.java:48)
org.geoserver.filters.SessionDebugFilter.doFilter(SessionDebugFilter.java:49)
org.geoserver.filters.FlushSafeFilter.doFilter(FlushSafeFilter.java:42)
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)

This happens randomly, but quite frequently (about 1 out of 20 requests to the server). It never happens after login, so limited to anonymous users.

The exception starts from this line of code:

https://github.com/geoserver/geoserver/blob/main/src/community/security/oauth2-core/src/main/java/org/geoserver/security/oauth2/GeoServerOAuthAuthenticationFilter.java#L134

import javax.servlet.http.HttpServletRequest;
...
HttpServletRequest httpRequest = (HttpServletRequest) request;
...
httpRequest.getSession(false).invalidate();  <--- NullPointerException
...

Testing locally I found that the exception is thrown by the HttpSession.invalidate() on a null object. So the HttpServletRequest.getSession(false) could be null. I’m not able to tell if the null session at this point is a problem, but considering that HttpServletRequest.getSession(false) could be null, I’ve added a check for null object on the session before running the HttpSession.invalidate(), that seems to fix the problem.

Please let me know if you think it might be a good idea to add this control to GeoServer or if you are aware of the problem. I can open a Pull Request to add the fix.

Add Comment

Add Comment

Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS


This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100197-sha1:8522567)

Atlassian logo