I’m getting this exception from WMS getMap requests when I’m trying to access a public layer with an anonymous user:
java.lang.NullPointerException
org.geoserver.security.oauth2.GeoServerOAuthAuthenticationFilter.doFilter(GeoServerOAuthAuthenticationFilter.java:134)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:71)
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
org.geoserver.security.filter.GeoServerSecurityContextPersistenceFilter$1.doFilter(GeoServerSecurityContextPersistenceFilter.java:52)
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:75)
org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:92)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
org.geoserver.security.GeoServerSecurityFilterChainProxy.doFilter(GeoServerSecurityFilterChainProxy.java:142)
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
org.geoserver.filters.LoggingFilter.doFilter(LoggingFilter.java:102)
org.geoserver.filters.XFrameOptionsFilter.doFilter(XFrameOptionsFilter.java:77)
org.geoserver.filters.GZIPFilter.doFilter(GZIPFilter.java:48)
org.geoserver.filters.SessionDebugFilter.doFilter(SessionDebugFilter.java:49)
org.geoserver.filters.FlushSafeFilter.doFilter(FlushSafeFilter.java:42)
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
This happens randomly, but quite frequently (about 1 out of 20 requests to the server). It never happens after login, so limited to anonymous users.
The exception starts from this line of code:
https://github.com/geoserver/geoserver/blob/main/src/community/security/oauth2-core/src/main/java/org/geoserver/security/oauth2/GeoServerOAuthAuthenticationFilter.java#L134
import javax.servlet.http.HttpServletRequest;
...
HttpServletRequest httpRequest = (HttpServletRequest) request;
...
httpRequest.getSession(false).invalidate(); <--- NullPointerException
...
Testing locally I found that the exception is thrown by the HttpSession.invalidate() on a null object. So the HttpServletRequest.getSession(false) could be null. I’m not able to tell if the null session at this point is a problem, but considering that HttpServletRequest.getSession(false) could be null, I’ve added a check for null object on the session before running the HttpSession.invalidate(), that seems to fix the problem.
Please let me know if you think it might be a good idea to add this control to GeoServer or if you are aware of the problem. I can open a Pull Request to add the fix.
|