Uploaded image for project: 'Magnolia'
  1. Magnolia
  2. MAGNOLIA-4973

Authorization fails if user has a role which does not exist in repo

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Critical Critical
    • 4.5.9
    • None
    • None
    • None

      For example info.magnolia.cms.security.RescueSecuritySupport.RescueUser adds workflow-base role tu superuser by default but if this role doesn't exist in magnolia(workflow is not installed) then login fails on NPE.
      Same can happen if user obtain role for example from ldap/ad etc. and this role does not exist in user-role repo

      javax.security.auth.login.LoginException: java.lang.NullPointerException
	at info.magnolia.jaas.sp.jcr.JCRAuthorizationModule.setACLForRoles(JCRAuthorizationModule.java:191)
	at info.magnolia.jaas.sp.jcr.JCRAuthorizationModule.setACL(JCRAuthorizationModule.java:103)
	at info.magnolia.jaas.sp.AbstractLoginModule.commit(AbstractLoginModule.java:230)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:597)
	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
	at javax.security.auth.login.LoginContext.login(LoginContext.java:580)
	at info.magnolia.cms.security.RescueSecuritySupport.authenticate(RescueSecuritySupport.java:99)
	at info.magnolia.cms.security.auth.login.LoginHandlerBase.authenticate(LoginHandlerBase.java:47)
	at info.magnolia.cms.security.auth.login.FormLogin.handle(FormLogin.java:76)
	at info.magnolia.cms.security.auth.login.LoginFilter.doFilter(LoginFilter.java:66)
	at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:91)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:83)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:85)
	at info.magnolia.cms.filters.CosMultipartRequestFilter.doFilter(CosMultipartRequestFilter.java:91)
	at info.magnolia.cms.filters.OncePerRequestAbstractMgnlFilter.doFilter(OncePerRequestAbstractMgnlFilter.java:61)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:83)
	at info.magnolia.module.devicedetection.filter.DeviceDetectionFilter.doFilter(DeviceDetectionFilter.java:73)
	at info.magnolia.cms.filters.OncePerRequestAbstractMgnlFilter.doFilter(OncePerRequestAbstractMgnlFilter.java:61)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:83)
	at info.magnolia.cms.filters.ContentTypeFilter.doFilter(ContentTypeFilter.java:102)
	at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:91)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:83)
	at info.magnolia.cms.filters.ContextFilter.doFilter(ContextFilter.java:131)
	at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:91)
	at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:83)
	at info.magnolia.cms.filters.CompositeFilter.doFilter(CompositeFilter.java:67)
	at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:91)
	at info.magnolia.cms.filters.SafeDestroyMgnlFilterWrapper.doFilter(SafeDestroyMgnlFilterWrapper.java:108)
	at info.magnolia.cms.filters.MgnlFilterDispatcher.doDispatch(MgnlFilterDispatcher.java:67)
	at info.magnolia.cms.filters.MgnlMainFilter.doFilter(MgnlMainFilter.java:108)
	at info.magnolia.cms.filters.MgnlMainFilter.doFilter(MgnlMainFilter.java:94)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
	at java.lang.Thread.run(Thread.java:662)

        Acceptance criteria

              mdivilek Milan Divilek
              mdivilek Milan Divilek
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved:

                  Bug DoR
                  Task DoD