[MAGNOLIA-2261] Magnolia access failure whit miss-configured bypass in filterchain Created: 14/Jul/08  Updated: 02/Dec/13  Resolved: 02/Dec/13

Status: Closed
Project: Magnolia
Component/s: None
Affects Version/s: 3.5.8
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Olivier Marti Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
duplicate
duplicates MAGNOLIA-2046 Wrong filter configuration completely... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:

 Description   

Reported from Futurelab:

We just wanted to add a bypass rule to the uriSecurity config node. We added the class name parameter and wanted to add the pattern parameter next, but since the rule was already active, we could not get that far. There is a missing null check in some Magnolia code, resulting in an NPE that causes the entire request to fail, instead of just the offending rule.

Of course that means we have no way to complete or revert our broken config in the JCR so we are effectively locked out and the system is down because every request now fails.

ERROR org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/magnoliaAuthor].[default] 14.07.2008 15:58:57 – Servle
t.service() for servlet default threw exception
java.lang.NullPointerException
at info.magnolia.cms.filters.MgnlMainFilter.doFilter(MgnlMainFilter.java:97)
at info.magnolia.cms.filters.MgnlMainFilter.doFilter(MgnlMainFilter.java:199)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:210)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:870)

This seems to be the offending code:

public void init() {
if(autoTrueValue){
if(!isInverse())

{ setTrueValue(pattern.length()); }

else

{ setTrueValue(-pattern.length()); }

}
}



 Comments   
Comment by Magnolia International [ 14/Jul/08 ]

I assume that by "uriSecurity config node", you're talking about the uriSecurity filter:
http://confluence.magnolia.info/display/WIKI/Repair+broken+bypass+configuration

Generated at Mon Feb 12 03:34:59 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.