Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10389

Passing an invalid SAMLResponse parameter to fedletapplication Fedlet endpoint generates a NullPointerException

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 10.0.0, 11.0.0, 12.0.0, 13.0.0, 13.5.0
    • Fix Version/s: 13.5.1, 14.0.0
    • Component/s: SAML
    • Labels:
    • Environment:
      Fedlet generated from OpenAM
    • Sprint:
      AM Sustaining Sprint 33
    • Story Points:
      2
    • Support Ticket IDs:

      Description

      When passing a SAMLResponse parameter that is not Base64 encoded to the fedletapplication endpoint of the Fedlet, you get a NullPointerException.

      This is due to com.sun.identity.saml2.profile.SPACSUtils#getResponseFromPost returning null and a upstream debug log statement not checking for a null value before using the value in a debug statement.

      Example request/response:

      curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'SAMLResponse=Testing123' http://fedlet.example.org:7070/fedlet/fedletapplication
      
      <html><head><title>Apache Tomcat/7.0.57 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - java.lang.NullPointerException</h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u>java.lang.NullPointerException</u></p><p><b>description</b> <u>The server encountered an internal error that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>org.apache.jasper.JasperException: java.lang.NullPointerException
      	org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:549)
      	org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:470)
      	org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:395)
      	org.apache.jasper.servlet.JspServlet.service(JspServlet.java:339)
      	javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
      	org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
      </pre></p><p><b>root cause</b> <pre>java.lang.NullPointerException
      	com.sun.identity.saml2.profile.SPACSUtils.getResponse(SPACSUtils.java:221)
      	com.sun.identity.saml2.profile.SPACSUtils.processResponseForFedlet(SPACSUtils.java:1980)
      	org.apache.jsp.fedletSampleApp_jsp._jspService(fedletSampleApp_jsp.java:257)
      	org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
      	javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
      	org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432)
      	org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:395)
      	org.apache.jasper.servlet.JspServlet.service(JspServlet.java:339)
      	javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
      	org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
      </pre></p><p><b>note</b> <u>The full stack trace of the root cause is available in the Apache Tomcat/7.0.57 logs.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.57</h3></body></html>
      

      A null response should throw a SAML2Exception since the value is invalid rather than return null to be in line with other scenarios.

      This NPE also prevents OpenIG from dealing with this error scenario since it leverages the same Fedlet APIs but can better deal with the error when a SAML2Exception is thrown.

        Attachments

          Activity

            People

            • Assignee:
              markdr Mark de Reeper
              Reporter:
              markdr Mark de Reeper
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: