On Mon, 11 Jul 2022 18:49:26 GMT, Sean Mullan <mul...@openjdk.org> wrote:
>> Add null-checks in all `LoginModule` implementations. It's possible that an
>> application calls `logout` after a login failure, where most internal
>> variables for principals and credentials are null and removing a null from
>> the `Subject`'s principals and credentials sets will trigger a
>> `NullPointerException`.
>
> src/jdk.security.auth/share/classes/com/sun/security/auth/module/UnixLoginModule.java
> line 289:
>
>> 287: subject.getPrincipals().remove(GIDPrincipal);
>> 288: }
>> 289: if (supplementaryGroups != null) {
>
> This line is harmless, but you could take it out as supplementaryGroups is
> never null.
Yes, in fact, whenever `add()` is called, a `new
UnixNumericGroupPrincipal(...)` is added. So it seems there is no need to check
the elements inside as well. Same in `JndiLoginModule`. In `NTLoginModule`,
while the `groups` array itself can be null, its element is also never null.
-------------
PR: https://git.openjdk.org/jdk/pull/9348
