Uploaded image for project: 'Magnolia'
  1. Magnolia
  2. MAGNOLIA-2261

Magnolia access failure whit miss-configured bypass in filterchain

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • Major
    • None
    • 3.5.8
    • None
    • None

    Description

      Reported from Futurelab:

      We just wanted to add a bypass rule to the uriSecurity config node. We added the class name parameter and wanted to add the pattern parameter next, but since the rule was already active, we could not get that far. There is a missing null check in some Magnolia code, resulting in an NPE that causes the entire request to fail, instead of just the offending rule.

      Of course that means we have no way to complete or revert our broken config in the JCR so we are effectively locked out and the system is down because every request now fails.

      ERROR org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/magnoliaAuthor].[default] 14.07.2008 15:58:57 – Servle
      t.service() for servlet default threw exception
      java.lang.NullPointerException
      at info.magnolia.cms.filters.MgnlMainFilter.doFilter(MgnlMainFilter.java:97)
      at info.magnolia.cms.filters.MgnlMainFilter.doFilter(MgnlMainFilter.java:199)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:210)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:870)

      This seems to be the offending code:

      public void init() {
      if(autoTrueValue){
      if(!isInverse())

      { setTrueValue(pattern.length()); }

      else

      { setTrueValue(-pattern.length()); }

      }
      }

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            Activity

              People

                Unassigned Unassigned
                omarti Olivier Marti
                Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  Checklists

                    Bug DoR
                    Task DoD