[Geoserver-devel] [JIRA] (GEOS-9257) BruteForceListener should skip doing its work if username in authentication is null

Pascal Riquier created an issue

GeoServer / BugGEOS-9257

BruteForceListener should skip doing its work if username in authentication is null

Issue Type:

BugBug

Assignee:

Unassigned

Created:

18/Jun/19 1:21 PM

Priority:

MediumMedium

Reporter:

Pascal Riquier

// Yes, enabled, check for concurrent login attempt
Authentication authentication = event.getAuthentication();
String name = getUserName(authentication);
if (name == null)

{ LOGGER.warning( "Brute force attack prevention enabled, but Spring Authentication " + "does not provide a user name, skipping: " + authentication); }

// do we have a delayed login in flight already? If so, kill this login attempt
// no matter if successful or not
final AtomicInteger counter = delayedUsers.get(name);

If the username is null, the log message says to skip doing anything for this authentication, but the BruteForceListener goes on anyway, resulting in a NullPointerException thrown from the attempt to look up the username in the ‘delayedUsers’ ConcurrentHashMap.
Better to put an ‘else’ statement after the ‘if (name == null)’ block, I assume.

Add Comment

Add Comment

Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS


This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100104-sha1:ce3e8e1)

Atlassian logo