By: Colin ODell user 19 Nov 2020 at 3:18 p.m. CST

14 Responses

## Issue The `idp` service seems to crash after encountering a `NullPointerException` at `org.gluu.oxauth.client.validation.OAuthValidationFilter.getOAuthData(OAuthValidationFilter.java:180)` ## Investigation [This is the line of code where the NullPointerException occurs](https://github.com/GluuFederation/oxTrust/blob/3.1.4/saml-openid-auth-client/src/main/java/org/gluu/oxauth/client/validation/OAuthValidationFilter.java#L180). Based on a review of the preceding code and [the Jwt.parse method](https://github.com/GluuFederation/oxAuth/blob/3.1.4/Model/src/main/java/org/xdi/oxauth/model/jwt/Jwt.java#L54), it seems that Gluu is receiving a blank string for the id token and does not handle that situation gracefully. It causes `Jwt.parse()` to return `null` instead of throwing an `InvalidJwtException`, thus resulting in the `jwt` variable being `null` and causing this `NullPointerException`. ## Suggested Fixes Either `parse()` should throw an exception instead of returning `null`, or the `OAuthValidationFilter` should check for `null` return values. Although this issue likely arises from something sending invalid/incomplete data into Gluu, I'd argue that Gluu should be resilient enough to detect this and not crash when this happens. ## Stack Trace ``` 2020-11-19 13:01:58.236:WARN:oejs.HttpChannel:qtp1908153060-1237: /idp/Authn/RemoteUser javax.servlet.ServletException: javax.servlet.ServletException: java.lang.NullPointerException at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.Server.handle(Server.java:531) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:352) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:281) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:319) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:175) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:133) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:754) at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:672) at java.lang.Thread.run(Thread.java:745) Caused by: javax.servlet.ServletException: java.lang.NullPointerException at org.gluu.oxauth.client.validation.OAuthValidationFilter.doFilter(OAuthValidationFilter.java:98) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) at org.gluu.oxauth.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:88) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) at net.shibboleth.utilities.java.support.net.RequestResponseContextFilter.doFilter(RequestResponseContextFilter.java:61) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) at net.shibboleth.idp.log.SLF4JMDCServletFilter.doFilter(SLF4JMDCServletFilter.java:72) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1634) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144) at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:219) at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.Server.handle(Server.java:531) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:352) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:281) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:319) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:175) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:133) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:754) at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:672) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.NullPointerException at org.gluu.oxauth.client.validation.OAuthValidationFilter.getOAuthData(OAuthValidationFilter.java:180) at org.gluu.oxauth.client.validation.OAuthValidationFilter.doFilter(OAuthValidationFilter.java:90) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) at org.gluu.oxauth.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:88) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) at net.shibboleth.utilities.java.support.net.RequestResponseContextFilter.doFilter(RequestResponseContextFilter.java:61) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) at net.shibboleth.idp.log.SLF4JMDCServletFilter.doFilter(SLF4JMDCServletFilter.java:72) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1634) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144) at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:219) at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.Server.handle(Server.java:531) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:352) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:281) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:319) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:175) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:133) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:754) at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:672) at java.lang.Thread.run(Thread.java:745) 2020-11-19 13:02:14.721:INFO:oejs.AbstractConnector:Thread-11: Stopped ServerConnector@610fbe1c{HTTP/1.1,[http/1.1]}{localhost:8086} 2020-11-19 13:02:14.721:INFO:oejs.session:Thread-11: Stopped scavenging 2020-11-19 13:02:14.750:INFO:oejshC.idp:Thread-11: Destroying Spring FrameworkServlet 'idp' ``` ## Additional Notes Although we're using an older version of Gluu, it looks like this same issue is likely present in 4.1.2.

Ubuntu 16.04

closed

By Michael Schwartz Account Admin 19 Nov 2020 at 3:23 p.m. CST

Copy

@Dzouato Djeumen.Rolain Bonaventure can you take a look?

By Dzouato Djeumen Rolain Bonaventure staff 24 Nov 2020 at 10:57 p.m. CST

Copy

Hello Colin, Thanks for the detailed information. I'm taking a look at the issue. Apologies for the delay

By Dzouato Djeumen Rolain Bonaventure staff 27 Nov 2020 at 10:53 p.m. CST

Copy

Hello Colin, I had a discussion with a member of my team and the best suggested place for the changes to occur at the moment is oxTrust. I have made said changes for your current version of Gluu (3.1.3). Would you mind me uploading so you can use ? Thanks

By Colin ODell user 30 Nov 2020 at 9:45 a.m. CST

Copy

Hi, Yes, please, that would be great! Thanks, Colin

By Dzouato Djeumen Rolain Bonaventure staff 01 Dec 2020 at 10:42 p.m. CST

Copy

Hello Colin, Please find attached the new shibboleth idp build. Backup the war `/opt/gluu/jetty/idp/webapps/idp.war` and replace it with this file. Make sure it's named `idp.war` in the directory. Regards, Rolain

oxshibbolethIdp-3.1.3.Final.war

By Michael Carroll user 04 Dec 2020 at 9:12 a.m. CST

Copy

@Dzouato Djeumen.Rolain Bonaventure Thank you for providing this file. I am a the Project Manager working with Colin on this project and have a couple questions: - What information should Intrado (third party vendor) send to Gluu to avoid the JWT errors? - Were there any updates to the Gluu software had been installed on the server since prior to Nov 11th when this incident took place?

By Dzouato Djeumen Rolain Bonaventure staff 09 Dec 2020 at 4:09 a.m. CST

Copy

Hello Sir, To answer your questions. - I don't think it's some information that's missing that you're not sending, but in 3.1.3 we just didn't handle a specific corner case properly. Replacing the idp war with the one we just provided should fix that. - We wouldn't know about that as far as I can tell, as we do not have access to your infrastructure (again, as far as I can tell). What I can tell is that Colin specifically referred to 3.1.3 as the version of Gluu where the issue arose, and since then , we've released several versions of Gluu (currently 4.2.1). I hope it helps. Thanks

By Michael Carroll user 09 Dec 2020 at 7:54 a.m. CST

Copy

Thank you for this information.

By Michael Carroll user 09 Dec 2020 at 12:58 p.m. CST

Copy

One additional question, if we upgrade to 4.2.1, will this new file work with that version?

By Michael Carroll user 10 Dec 2020 at 10:25 a.m. CST

Copy

That was not my last question, I apologize. Would anyone from support be able to join a call with our client next Tuesday Dec 15th at some point between 4-6pm US EST? We have a call with our client as well as the 3rd-party vendor involved in this issue and it would be beneficial to have someone from Gluu support on the call.

By Dzouato Djeumen Rolain Bonaventure staff 11 Dec 2020 at 6:28 a.m. CST

Copy

Hello Michael, 4.2.1 doesn't use the same codebase for that particular aspect of Shibboleth as 3.1.3 , so you won't even need this new file. As for your question about someone joining the call, I'll have to get back to you on that. Thanks

By Michael Carroll user 11 Dec 2020 at 8:58 a.m. CST

Copy

Thanks for clarifying regarding the WAR file. I have an update on the timing of the request to join our call, it would be either 1pm or 2pm US EST on Tuesday. Thank you for checking.

By Michael Schwartz Account Admin 13 Dec 2020 at 4:31 p.m. CST

Copy

We'd need to know more about this opportunity before we agree to do in person support. Please talk to Davin Cooke. Also, 3.x is end-of-life in 4 months: [https://gluu.org/docs/#end-of-life](https://gluu.org/docs/#end-of-life). Why are you using it?

By Michael Carroll user 14 Dec 2020 at 9:48 a.m. CST

Copy

Hello Michael, The purpose of the call is to discuss the issue outlined in this ticket with the third-party vendor that provided the blank string for the ID token as noted in Colin's initial description. Our client and the 3rd-party organizaation would like to have all parties on the call to see how this might be resolved. My question for you however is if we update the version of Gluu to the most recent version will this even be an issue?

You need to Login in order to post an answer

NullPointerException with empty JWT strings

By: Colin ODell user 19 Nov 2020 at 3:18 p.m. CST

Answers

By Michael Schwartz Account Admin 19 Nov 2020 at 3:23 p.m. CST

By Dzouato Djeumen Rolain Bonaventure staff 24 Nov 2020 at 10:57 p.m. CST

By Dzouato Djeumen Rolain Bonaventure staff 27 Nov 2020 at 10:53 p.m. CST

By Colin ODell user 30 Nov 2020 at 9:45 a.m. CST

By Dzouato Djeumen Rolain Bonaventure staff 01 Dec 2020 at 10:42 p.m. CST

By Michael Carroll user 04 Dec 2020 at 9:12 a.m. CST

By Dzouato Djeumen Rolain Bonaventure staff 09 Dec 2020 at 4:09 a.m. CST

By Michael Carroll user 09 Dec 2020 at 7:54 a.m. CST

By Michael Carroll user 09 Dec 2020 at 12:58 p.m. CST

By Michael Carroll user 10 Dec 2020 at 10:25 a.m. CST

By Dzouato Djeumen Rolain Bonaventure staff 11 Dec 2020 at 6:28 a.m. CST

By Michael Carroll user 11 Dec 2020 at 8:58 a.m. CST

By Michael Schwartz Account Admin 13 Dec 2020 at 4:31 p.m. CST

By Michael Carroll user 14 Dec 2020 at 9:48 a.m. CST

Post an answer