-
Type:
Regression Bug
-
Status: Closed
-
Resolution: Fixed
-
Affects Version/s: 7.0.0 DXP FP56, 7.0.X, Master
-
Component/s: Application Security, Application Security > SAML
-
Branch Version/s:7.2.x, 7.1.x, 7.0.x
-
Backported to Branch:Committed
-
Story Points:4
-
Git Pull Request:
Reproduction steps:
- Set up an IdP and an SP
- Start up the SP in debug mode and add a breakpoint at line 242 in the DefaultUserResolver class
- On the SP, click on Sign In in the top right corner and log in
- As you can see in Eclipse the value of format is emailAddress (if you selected that for the Name Identifier Format)
- Manually change it to null
Experienced behavior: The following exception is thrown:
2018-08-16 13:35:42.492 ERROR [http-nio-7070-exec-5][BaseSamlStrutsAction:54] com.liferay.saml.runtime.SamlException: java.lang.NullPointerException com.liferay.saml.runtime.SamlException: java.lang.NullPointerException at com.liferay.saml.opensaml.integration.internal.profile.ExceptionHandlerUtil.handleException(ExceptionHandlerUtil.java:34) at com.liferay.saml.opensaml.integration.internal.profile.WebSsoProfileImpl.processResponse(WebSsoProfileImpl.java:172) at com.liferay.saml.web.internal.portlet.action.AssertionConsumerServiceAction.doExecute(AssertionConsumerServiceAction.java:59) at com.liferay.saml.web.internal.portlet.action.BaseSamlStrutsAction.execute(BaseSamlStrutsAction.java:51) at com.liferay.portal.kernel.struts.BaseStrutsAction.execute(BaseStrutsAction.java:39) at com.liferay.portal.struts.ActionAdapter.execute(ActionAdapter.java:50) at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:425) at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:228) at com.liferay.portal.struts.PortalRequestProcessor.process(PortalRequestProcessor.java:170) at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913) at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:462) at javax.servlet.http.HttpServlet.service(HttpServlet.java:648) at com.liferay.portal.servlet.MainServlet.callParentService(MainServlet.java:608) at com.liferay.portal.servlet.MainServlet.service(MainServlet.java:585) at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:119) at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144) at com.liferay.frontend.compatibility.ie.servlet.filter.IEMimeTypeCompatibilityFilter.processFilter(IEMimeTypeCompatibilityFilter.java:48) at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112) at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144) at com.liferay.portal.servlet.filters.uploadservletrequest.UploadServletRequestFilter.processFilter(UploadServletRequestFilter.java:93) at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112) at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144) at com.liferay.portal.servlet.filters.strip.StripFilter.processFilter(StripFilter.java:343) at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112) at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144) at com.liferay.portal.servlet.filters.secure.BaseAuthFilter.processFilter(BaseAuthFilter.java:340) at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112) at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144) at com.liferay.portal.servlet.filters.jsoncontenttype.JSONContentTypeFilter.processFilter(JSONContentTypeFilter.java:42) at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112) at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144) at com.liferay.portal.sharepoint.SharepointFilter.processFilter(SharepointFilter.java:88) at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112) at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144) at com.liferay.portal.servlet.filters.virtualhost.VirtualHostFilter.processFilter(VirtualHostFilter.java:263) at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112) at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:144) at com.liferay.portal.monitoring.internal.servlet.filter.MonitoringFilter.processFilter(MonitoringFilter.java:181) at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:188) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:188) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96) at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:176) at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:145) at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:92) at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:394) at com.liferay.portal.servlet.filters.urlrewrite.UrlRewriteFilter.processFilter(UrlRewriteFilter.java:65) at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:49) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:112) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:168) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:168) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:188) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96) at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFilter.java:100) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:522) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1095) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:672) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) Caused by: java.lang.NullPointerException at com.liferay.saml.opensaml.integration.internal.resolver.DefaultUserResolver.getSubjectNameIdentifierType(DefaultUserResolver.java:242) at com.liferay.saml.opensaml.integration.internal.resolver.DefaultUserResolver.resolveUser(DefaultUserResolver.java:91) at com.liferay.saml.opensaml.integration.internal.profile.WebSsoProfileImpl.doProcessResponse(WebSsoProfileImpl.java:629) at com.liferay.saml.opensaml.integration.internal.profile.WebSsoProfileImpl.processResponse(WebSsoProfileImpl.java:169) ... 96 more
Expected behavior: The NullPointerException shouldn't be thrown
Please see the getSubjectNameIdentifierType method in the DefaultUserResolver class
protected String getSubjectNameIdentifierType( UserResolverSAMLContext userResolverSAMLContext) { String format = userResolverSAMLContext.resolveSubjectNameFormat(); if (format.equals(NameIDType.EMAIL)) { return _SUBJECT_NAME_TYPE_EMAIL_ADDRESS; } return _SUBJECT_NAME_TYPE_SCREENNAME; }
The NullPointerException is thrown because the format is null which according to the SAML 2.0 specification is an optional attribute of the nameID element
Maybe we can try to modify the if statement the following way:
if (NameIDType.EMAIL.equals(format)) { return _SUBJECT_NAME_TYPE_EMAIL_ADDRESS; } return _SUBJECT_NAME_TYPE_SCREENNAME; }
After checking the DefaultUserResolver class on master I believe the same issue occurs there.
- causes
-
LPS-122195 ADFS with NameID format unspecified as Idp cannot login existing users
- Closed
- is caused by
-
LPS-73885 Decouple OpenSAML dependencies from Liferay SAML extension points
-
- Closed
-
- is related to
-
LPS-60096 Missing NameID format causes NullPointerException
- Closed