New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ELY-2144] null 'error page' can cause NPE from web component #1734
base: 1.x
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,83 @@ | ||
/* | ||
* JBoss, Home of Professional Open Source. | ||
* Copyright 2022 Red Hat, Inc., and individual contributors | ||
* as indicated by the @author tags. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
package org.wildfly.security.http.form; | ||
|
||
import mockit.integration.junit4.JMockit; | ||
import org.junit.Assert; | ||
import org.junit.Test; | ||
import org.junit.runner.RunWith; | ||
import org.wildfly.security.http.HttpConstants; | ||
import org.wildfly.security.http.HttpServerAuthenticationMechanism; | ||
import org.wildfly.security.http.impl.AbstractBaseHttpTest; | ||
|
||
import java.net.URI; | ||
import java.util.HashMap; | ||
import java.util.Map; | ||
|
||
/** | ||
* Test of server side of the Form HTTP mechanism. | ||
* | ||
* @author <a href="mailto:pberan@redhat.com">Petr Beran</a> | ||
*/ | ||
@RunWith(JMockit.class) | ||
public class FormAuthenticationMechanismTest extends AbstractBaseHttpTest { | ||
|
||
/** | ||
* Tests proper redirect in case of invalid credentials if the error page is missing | ||
*/ | ||
@Test | ||
public void testFormWithoutErrorPage() throws Exception { | ||
Map<String, String> properties = new HashMap<>(); | ||
properties.put(HttpConstants.CONFIG_REALM, "Realm"); | ||
properties.put(HttpConstants.CONFIG_CONTEXT_PATH, "/application"); | ||
properties.put(HttpConstants.CONFIG_LOGIN_PAGE, "/login.jsp"); | ||
HttpServerAuthenticationMechanism mechanism = formFactory.createAuthenticationMechanism(HttpConstants.FORM_NAME, | ||
properties, getCallbackHandler("username", "Realm", "password")); | ||
|
||
TestingHttpServerRequest request = new TestingHttpServerRequest(HttpConstants.POST, new String[]{"", "password"}, | ||
new URI("http://localhost:8080/application/j_security_check")); | ||
mechanism.evaluateRequest(request); | ||
TestingHttpServerResponse response = request.getResponse(); | ||
|
||
Assert.assertEquals(response.getStatusCode(), HttpConstants.FOUND); | ||
Assert.assertEquals("http://localhost:8080/application", response.getLocation()); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Hello @petrberan , sorry for the delay in my review. IIUC, if the authentication fails and there is no error page to redirect to, we will redirect to the context path after this change right? Not sure if this is correct approach or we should redirect to the login page instead, which could be handled here @fjuma WDYT? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @Skyllarr @petrberan What was the behaviour before with WildFly and legacy security? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Hi @petrberan , do you happen to know what was the legacy security behaviour? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Completely missed this thread, sorry about that @fjuma . As for the behaviour, I can't say I know. I'll try looking into it tomorrow. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Finally caught up with this issue after the work on 7.4.14 and got some findings @fjuma @Skyllarr I reproduced the issue on Wildfly 9 (aka before Elytron) using the modified servlet-security quickstart, where I changed the authentication to FORM and copied error and login pages from ELY-921. There it worked just fine, once I removed the error page I got an NPE as well. Meaning that the behavior between WFLY 9 and now hasn't changed. I also find out why. The I wasn't able to find out how is the behavior supposed to be in specs or anywhere else. As such, I believe we can define our own behavior in such a case. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. |
||
} | ||
|
||
/** | ||
* Tests proper redirect in case of invalid credentials if the error page is configured | ||
*/ | ||
@Test | ||
public void testFormWithErrorPage() throws Exception { | ||
Map<String, String> properties = new HashMap<>(); | ||
properties.put(HttpConstants.CONFIG_REALM, "Realm"); | ||
properties.put(HttpConstants.CONFIG_CONTEXT_PATH, "/application"); | ||
properties.put(HttpConstants.CONFIG_LOGIN_PAGE, "/login.jsp"); | ||
properties.put(HttpConstants.CONFIG_ERROR_PAGE, "/error.jsp"); | ||
HttpServerAuthenticationMechanism mechanism = formFactory.createAuthenticationMechanism(HttpConstants.FORM_NAME, | ||
properties, getCallbackHandler("username", "Realm", "password")); | ||
|
||
TestingHttpServerRequest request = new TestingHttpServerRequest(HttpConstants.POST, new String[]{"", "password"}, | ||
new URI("http://localhost:8080/application/j_security_check")); | ||
mechanism.evaluateRequest(request); | ||
TestingHttpServerResponse response = request.getResponse(); | ||
|
||
Assert.assertEquals(response.getStatusCode(), HttpConstants.FOUND); | ||
Assert.assertEquals("http://localhost:8080/application/error.jsp", response.getLocation()); | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Where does this change come from? It seems unrelated to the Jira being addressed - is GitHub showing something it shouldn't or has this come in from a rebase?