Bug 916085

Summary: Null pointer exception in case Authorization header is passed
Product: Red Hat Enterprise Virtualization Manager Reporter: Katarzyna Jachim <kjachim>
Component: ovirt-engine-restapiAssignee: Ravi Nori <rnori>
Status: CLOSED CURRENTRELEASE QA Contact: Katarzyna Jachim <kjachim>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.2.0CC: acathrow, dyasny, iheim, mpastern, ncredi, oramraz, Rhev-m-bugs, ykaul
Target Milestone: ---   
Target Release: 3.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: infra
Fixed In Version: sf13-beta2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Katarzyna Jachim 2013-02-27 09:15:30 UTC 
Description of problem: Null pointer exception in case Authorization header is passed.


Version-Release number of selected component (if applicable):


How reproducible: 100%


Steps to Reproduce:
(done with RESTClient, Firefox add-on)
1. set header 'Authorization' to 'admin@internal:123456' (doesn't matter if login/password are correct or not)
2. do not set any Authentication method
3. GET https://kj-rh32.rhev.lab.eng.brq.redhat.com:443/api
  
Actual results:

Status Code: 500 Internal Server Error

From response body:
The server encountered an internal error () that prevented it from fulfilling this request.

org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException
	org.jboss.resteasy.core.SynchronousDispatcher.handleException(SynchronousDispatcher.java:251)
	org.jboss.resteasy.core.SynchronousDispatcher.handleInvokerException(SynchronousDispatcher.java:196)
	org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:551)
	org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:513)
	org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:125)
	org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
	org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
	org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:847)

root cause java.lang.NullPointerException
	org.ovirt.engine.api.restapi.security.auth.LoginValidator.validate(LoginValidator.java:65)
	org.ovirt.engine.api.common.security.auth.Challenger.executeBasicAuthentication(Challenger.java:129)
	org.ovirt.engine.api.common.security.auth.Challenger.preProcess(Challenger.java:103)
	org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:247)
	org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:222)
	org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:211)
	org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:536)
	org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:513)
	org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:125)
	org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
	org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
	org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:847)

note The full stack trace of the root cause is available in the JBoss Web/7.0.17..Final-redhat-2 logs


Expected results:
Not to throw exception

Additional info:
Not sure if it is a bug in RHEVM REST API or JBoss.
Comment 1 Michael Pasternak 2013-02-27 09:28:11 UTC 
(In reply to comment #0)
> Description of problem: Null pointer exception in case Authorization header
> is passed.
> 
> 
> Version-Release number of selected component (if applicable):
> 
> 
> How reproducible: 100%
> 
> 
> Steps to Reproduce:
> (done with RESTClient, Firefox add-on)
> 1. set header 'Authorization' to 'admin@internal:123456' (doesn't matter if
> login/password are correct or not)
> 2. do not set any Authentication method
> 3. GET https://kj-rh32.rhev.lab.eng.brq.redhat.com:443/api
>   

Authorization header should look like:

Authorization:Basic YWRtaW5AaW50ZXJuYWw6MTIzNDU2,

you have to specify 'authorization type' by spec, also credentials are not passed as plain text, but as base64 encoded string string, anyway this is RESTeasy issue
Comment 2 Michael Pasternak 2013-02-27 09:31:09 UTC 
- missed 'root cause', we can defend against this in a Challenger/LoginValidator.
Comment 5 Katarzyna Jachim 2013-04-10 10:57:12 UTC 
Works OK (i.e. no Java exception) on rhevm-3.2.0-10.18.beta2.el6ev
Comment 6 Itamar Heim 2013-06-11 08:45:17 UTC 
3.2 has been released
Comment 7 Itamar Heim 2013-06-11 08:45:17 UTC 
3.2 has been released
Comment 8 Itamar Heim 2013-06-11 08:45:28 UTC 
3.2 has been released
Comment 9 Itamar Heim 2013-06-11 08:51:27 UTC 
3.2 has been released
Comment 10 Itamar Heim 2013-06-11 09:22:19 UTC 
3.2 has been released