Payara icon indicating copy to clipboard operation
Payara copied to clipboard
verified publisher icon payara

Bug Report: [7.2025.1] NullPointerException in Policy

Open ctabin opened this issue 1 month ago • 7 comments

Brief Summary

Hi,

After fixing our domain.xml in 7141, our application deploys. But once a request hits the facade, we hit again an NPE:

SEVERE @72.2025-11-12 16:01:42-526 [saierp.framework.facade.servlet.EntryPointServlet.handleException] Exception caught in Servlet
java.lang.NullPointerException: Cannot invoke "jakarta.security.jacc.PolicyConfiguration.getExcludedPermissions()" because the return value of "jakarta.security.jacc.PolicyConfigurationFactory.getPolicyConfiguration()" is null
	at org.glassfish.exousia.modules.def.DefaultPolicy.isExcluded(DefaultPolicy.java:50)
	at jakarta.security.jacc.Policy.implies(Policy.java:53)
	at org.glassfish.exousia.AuthorizationService.checkPermission(AuthorizationService.java:550)
	at org.glassfish.exousia.AuthorizationService.checkWebRoleRefPermission(AuthorizationService.java:463)
	at com.sun.enterprise.security.ee.authorization.WebAuthorizationManagerService.hasRoleRefPermission(WebAuthorizationManagerService.java:436)
	at com.sun.web.security.RealmAdapter.hasRole(RealmAdapter.java:1104)
	at org.apache.catalina.connector.Request.isUserInRole(Request.java:2772)
	at org.apache.catalina.connector.RequestFacade.isUserInRole(RequestFacade.java:814)
	at my.servlet.EntryPointServlet.processRequest(EntryPointServlet.java:334)
	at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:653)
	at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:723)
	at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1554)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:259)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:166)
	at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:757)
	at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:577)
	at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:158)
	at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:366)

In the facade, we use a JDBCRealm to authenticate the user with request.login(user, password) and the checks the roles by invoking request.isUserInRole(...) and hit the NPE there.

We use payara-embedded-all with a programmatic deployment.

Expected Outcome

The request is authenticated and the roles can be checked.

Current Outcome

NullPointerException while calling request.isUserInRole.

Reproducer

Operating System

Linux Debian

JDK Version

OpenJDK 21

Payara Distribution

Payara Embedded All

ctabin avatar Nov 14 '25 18:11 ctabin

Hi @ctabin,

I have configured the launcher/domain.xml file as you mentioned in 7141, however, I am getting the same error that you initially posted on that issue.

SEVERE: Exception during lifecycle processing org.glassfish.deployment.common.DeploymentException: Error in generating security policy for sample-gf-app -- Error in generating security policy for sample-war -- jakarta.security.jacc.PolicyContextException: Jakarta Authorization:Error ...

Could you please confirm whether you have made any other changes that you did not mention?

Best Regards, Juan

juansierra24 avatar Nov 14 '25 19:11 juansierra24

hi @juansierra24,

You can find my file here, trying to make a reproducer (I don't have the realm for now, so just doing mvn clean package works).

It is necessary to add the -Djakarta.security.jacc.PolicyFactory.provider=org.glassfish.exousia.modules.def.DefaultPolicyFactory as well in the <jvm-options> otherwise you still get the NPE during deployment.

ctabin avatar Nov 14 '25 21:11 ctabin

Hi @ctabin,

I have switched the branch to payara-7-alpha and run mvn clean package in my local environment (macOS) and a Ubuntu VM, but I am not getting any errors; everything succeeded.

Could you please provide a small, self-contained reproducer for this error?

Best Regards, Juan

juansierra24 avatar Nov 18 '25 21:11 juansierra24

@ctabin Use https://start.flowlogix.com to make a reproducer

lprimak avatar Nov 18 '25 21:11 lprimak

Hi @juansierra24, Yes the project is working because there is no realm defined in this example. In our application, we have a JDBC realm on which we authenticate the user with request.login(user, password) and that causes the NPE later shown by the stacktrace above. I'll try to reproduce it in my sample asap.

ctabin avatar Nov 19 '25 09:11 ctabin

@lprimak @juansierra24 Hi, I have reproduced the problem. You can simply clone this repo, checkout the branch payara-7-alpha and then run mvn clean package.

The problem arise because we have the following pattern in a single request:

req.login(user, password);
req.isUserInRole("ADMIN"); //true

//...

req.logout();
req.login(user, password);
req.isUserInRole("ADMIN"); //NPE

Note that we already hit this in GlassFish.

ctabin avatar Nov 22 '25 19:11 ctabin

Hi @ctabin,

Thank you for providing the reproducer. I have reproduced it and was able to make it work with the workaround suggested in GF-23757. I have raised this issue with the Platform Development team via JIRA task FISH-12192, and they will fix it as soon as they have bandwidth available.

Best Regards, Juan

juansierra24 avatar Nov 26 '25 22:11 juansierra24