[OPENAM-8910] NPE if a null siteID is passed to Session.validateSessionID Created: 17/May/16  Updated: 25/May/17  Resolved: 10/Aug/16

Status: Resolved
Project: OpenAM
Component/s: session
Affects Version/s: 12.0.0, 12.0.1, 12.0.2
Fix Version/s: 12.0.4, 13.5.1, 14.0.0

Type: Bug Priority: Major
Reporter: Jonathan Thomas Assignee: Jonathan Thomas
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: 1h
Time Spent: 1h
Original Estimate: 2h

Attachments: XML File brokenspace.xml    
Issue Links:
Relates
is related to OPENAM-9648 Invalid Session that causes CDATA[nul... Resolved
is related to AMAGENTS-68 invalid cookie causes 403 instead of ... Closed
Target Version/s:
Sprint: AM Sustaining Sprint 23, AM Sustaining Sprint 24, AM Sustaining Sprint 25, AM Sustaining Sprint 26
Support Ticket IDs:
QA Assignee: Filip Kubáň [X] (Inactive)
Verified Version/s:

 Description   

To Reproduce 1n 12.0.2:
Call the session service with the attached session xml.

e.g
curl -d @brokenspace.xml http://openam-.example.com:8080/openam/sessionservice

This will result in the following ResponseSet

<ResponseSet vers="1.0" svcid="session" reqid="0">
<Response><![CDATA[null]]></Response>
</ResponseSet>

And in the Session Debug

java.lang.NullPointerException
	at java.util.Hashtable.get(Hashtable.java:363)
	at com.iplanet.services.naming.WebtopNaming.getSiteID(WebtopNaming.java:936)
	at com.iplanet.dpro.session.Session.validateSessionID(Session.java:2034)
	at com.iplanet.dpro.session.Session.getSessionServiceURL(Session.java:1356)
	at com.iplanet.dpro.session.service.SessionRequestHandler.processSessionRequest(SessionRequestHandler.java:240)
	at com.iplanet.dpro.session.service.SessionRequestHandler.access$000(SessionRequestHandler.java:61)
	at com.iplanet.dpro.session.service.SessionRequestHandler$1.run(SessionRequestHandler.java:136)
	at com.sun.identity.session.util.RestrictedTokenContext.doUsing(RestrictedTokenContext.java:82)
	at com.iplanet.dpro.session.service.SessionRequestHandler.processRequest(SessionRequestHandler.java:133)
	at com.iplanet.dpro.session.service.SessionRequestHandler.process(SessionRequestHandler.java:81)
	at com.iplanet.services.comm.server.PLLRequestServlet.handleRequest(PLLRequestServlet.java:182)
	at com.iplanet.services.comm.server.PLLRequestServlet.doPost(PLLRequestServlet.java:135)


 Comments   
Comment by Alex Levin [ 18/May/16 ]

Also seen in AMAGENTS-68 testing

Comment by Filip Kubáň [X] (Inactive) [ 06/Sep/16 ]

Verified fix on OpenAM 12.0.4-RC2 Build 32b50dc344 (2016-September-02 16:19)
NPE no longer occurs

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ResponseSet vers="1.0" svcid="session" reqid="0">
<Response><![CDATA[<SessionResponse vers="1.0" reqid="1">
<GetSession>
<Exception>AQIC5wM2LY4SfcxV4amvYmnsjgbcmwA2YMBBSfWxUtpzc58.*AAJTSQACMDEAAlNL Invalid session ID, Site ID is null or empty</Exception>
</GetSession>
</SessionResponse>]]></Response>
Comment by Philip Anderson [ 25/May/17 ]

Verified on 13.5.1-RC3 NPE:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ResponseSet vers="1.0" svcid="session" reqid="0">
<Response><![CDATA[<SessionResponse vers="1.0" reqid="1">
<GetSession>
<Exception>AQIC5wM2LY4SfcxV4amvYmnsjgbcmwA2YMBBSfWxUtpzc58.*AAJTSQACMDEAAlNL Invalid session ID, Site ID "null" either points to a non-existent server, or to a site</Exception>
</GetSession>
</SessionResponse>]]></Response>
</ResponseSet>

 

 

Generated at Fri Oct 23 11:33:11 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.