spring-security-jwt icon indicating copy to clipboard operation
spring-security-jwt copied to clipboard

Published 20 hours ago verified publisher icon Mercateo

Fixing NPE, introduced logging

Open JoergAdler opened this issue 3 years ago • 1 comments

We were facing the following NPE:

java.lang.NullPointerException: value at java.util.Objects.requireNonNull(Objects.java:228) at com.mercateo.spring.security.jwt.token.claim.JWTClaim$Builder.value(JWTClaim.java:440) at com.mercateo.spring.security.jwt.token.extractor.HierarchicalClaimsExtractor.lambda$extractClaims$1(HierarchicalClaimsExtractor.java:86) at com.mercateo.spring.security.jwt.relocated.io.vavr.collection.Stream.map(Stream.java:1221) at com.mercateo.spring.security.jwt.relocated.io.vavr.collection.Stream.lambda$map$9(Stream.java:1221) at com.mercateo.spring.security.jwt.relocated.io.vavr.Lazy.computeValue(Lazy.java:161) at com.mercateo.spring.security.jwt.relocated.io.vavr.Lazy.get(Lazy.java:155) at com.mercateo.spring.security.jwt.relocated.io.vavr.collection.StreamModule$ConsImpl.tail(Stream.java:1924) at com.mercateo.spring.security.jwt.relocated.io.vavr.collection.StreamModule$StreamIterator.hasNext(Stream.java:2132) at com.mercateo.spring.security.jwt.relocated.io.vavr.collection.List.ofAll(List.java:269) at com.mercateo.spring.security.jwt.relocated.io.vavr.ValueModule.toTraversable(Value.java:1528) at com.mercateo.spring.security.jwt.relocated.io.vavr.Value.toList(Value.java:1060) at com.mercateo.spring.security.jwt.token.extractor.HierarchicalClaimsExtractor.extractClaims(HierarchicalClaimsExtractor.java:91) at com.mercateo.spring.security.jwt.token.extractor.HierarchicalClaimsExtractor.extractClaims(HierarchicalClaimsExtractor.java:69) at com.mercateo.spring.security.jwt.token.extractor.ValidatingHierarchicalClaimsExtractor.extractClaims(ValidatingHierarchicalClaimsExtractor.java:67) at com.mercateo.spring.security.jwt.security.JWTAuthenticationProvider.retrieveUser(JWTAuthenticationProvider.java:63) at org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:133) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182)

My assumption is that we have a claim which is explicitly set to null

To see if that assumption is correct I have done the following:

  • filter out the potential NPE
  • logging the extraction to see something in the logs

JoergAdler avatar Aug 02 '21 11:08 JoergAdler

We identified the problem with local debugging. It was that long values cannot be deserialized. Added it to that pull request

JoergAdler avatar Aug 03 '21 11:08 JoergAdler