ben vinsonneau
Reputation: 23
Tomcat 7 java.lang.NullPointerException when wrong credential entered using Active Directory authentification
I am trying to use Active Directory to authenticate users on my web application. This is now working correctly if I use the right credentials, but If I fail to input the correct credentials, I get the following error [1] and no further attempts is allowed. I did not have this issue when I was only using the UserDatabaseRealm.
Edit: After upgrading to Tomcat 8.0.15 as suggested by @kotacc, I am still getting an error (see [5] below) when entering the wrong credentials. end of Edit
My server.xml is in [2] and my web.xml in [3] My configuration details are in [4].
Any idea of what is wrong? Could anyone point me to the right documentation for this?
regards
Ben
[2] here is the relevant part from my server.xml:
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.CombinedRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://someServer.mycompany.com:389"
connectionName="[email protected]"
connectionPassword="aPassword"
referrals="follow"
userBase="ou=Users,OU=somServer,DC=mycompany,DC=CORP"
userSearch="(sAMAccountName={0})"
userSubtree="true"
/>
</Realm>
</Realm>
[3] here is the relevant part from my web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Wildcard means whole app requires
authentication</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Public</web-resource-name>
<description>Matches a few special pages.</description>
<url-pattern>/index.html</url-pattern>
</web-resource-collection>
<!-- No auth-constraint means everybody has access! -->
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<description>this is the standard user</description>
<role-name>*</role-name>
</security-role>
[4] This is on Tomcat 7.0.57 running on Windows 7 64 bit
> java -version java version "1.7.0_71" Java(TM) SE Runtime Environment
> (build 1.7.0_71-b14) Java HotSpot(TM) 64-Bit Server VM (build
> 24.71-b01, mixed mode)
[1] here is the error:
java.lang.NullPointerException
org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1303)
org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1253)
org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1194)
org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1069)
org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:146)
org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:146)
org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:180)
org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:164)
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:575)
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2466)
org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2455)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
java.lang.Thread.run(Thread.java:745)
[5] here is the error with Tomcat 8.0.15:
java.lang.NullPointerException
org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1286)
org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1236)
org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1177)
org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1052)
org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:157)
org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:157)
org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:180)
org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:111)
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576)
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:537)
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1085)
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:658)
org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:222)
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1556)
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1513)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
java.lang.Thread.run(Thread.java:745)
Upvotes: 1
Views: 2175
Answers (1)
kotacc
Reputation: 327
It appears to be a defect in Tomcat 7.0.57. If you see the source code at line 1300, there is no null check. I've pasted the piece of code here and given my comment:
protected User getUser(DirContext context, String username,
String credentials, int curUserPattern)
throws NamingException {
...
if (userPatternFormatArray != null && curUserPattern >= 0) {
user = getUserByPattern(context, username, credentials, attrIds, curUserPattern);
} else {
user = getUserBySearch(context, username, attrIds);
}
if (userPassword == null && credentials != null) { //Line 1300;No null check for 'user' object.
return new User(user.getUserName(), user.getDN(), credentials,
user.getRoles(), user.getUserRoleId());
}
return user;
}
Seems that lines from 1300 are added in Tomcat 7.0.57 version. I could also see that it is addressed in trunk but it is not released yet. I suggest you use either previous version (7.0.56) or Tomcat 8.
[EDIT]: It seems the defect is not fixed in all versions of Tomcat 8. As of now, the latest versions of Tomcat i.e 7.0.57 and 8.0.15 having this defect.
Upvotes: 1
Related Questions
- Configuring Tomcat to authenticate using Windows Active Directory
- Tomcat Integrated Windows Authentication across Multiple Domains
- Tomcat LDAP User Auth
- Active directory auth Tomcat - Read username in Action?
- Tomcat JSP authentication fails
- java web app jsp - active directory and tomcat SSO
- How to configure Tomcat 5.5 to authenticate against Win2003 Activedirectory(LDAP)
- Tomcat, HTTP authentication, and Active Directory
- Error during FORM auth in Tomcat
- ldap authentication to AD works for groups except "domain users"