[NXP-18903] WebEngine form authenticator logout expects a username and fails - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 6.0-HF27, 7.10-HF05, 8.2
Component/s: Authentication, WebEngine

Tags:
- nxioTeam
Sprint:
NOS-12

Description

A call to @@login resets the authentication.
Then, it performs the login if it founds the required parameters: username, passward and caller.
It uses:

org.nuxeo.ecm.webengine.login.WebEngineFormAuthenticator.handleRetrieveIdentity(HttpServletRequest, HttpServletResponse) {
        if (!isLoginRequest(httpRequest)) {
            return null;
        }
        String userName = httpRequest.getParameter(usernameKey);
        String password = httpRequest.getParameter(passwordKey);
        return new UserIdentificationInfo(userName, password);
    }

But the method returns an identity even if the username parameter is not present.
It causes a NPE when loging out on the NuxeoAuthenticationFilter which expects a valid identity with a username.
Currently line 507

             if (cachableUserIdent == null || cachableUserIdent.getUserInfo() == null) {
                    UserIdentificationInfo userIdent = handleRetrieveIdentity(httpRequest, httpResponse);
                    if (userIdent != null && userIdent.getUserName().equals(getAnonymousId())) {   <=== HERE

Attachments

Activity

People

Assignee:

Nicolas Chapurlat

Reporter:

Nicolas Chapurlat

Participants:

Jenkins, Nicolas Chapurlat

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Created:

2016-01-29 13:55

Updated:

2016-02-10 13:13

Resolved:

2016-02-03 09:43