On Fri, 1 Jul 2022 17:31:06 GMT, Weijun Wang <wei...@openjdk.org> wrote:
> Add null-checks in all `LoginModule` implementations. It's possible that an
> application calls `logout` after a login failure, where most internal
> variables for principals and credentials are null and removing a null from
> the `Subject`'s principals and credentials sets will trigger a
> `NullPointerException`.
A couple of minor comments so far; still reviewing.
src/jdk.security.auth/share/classes/com/sun/security/auth/module/JndiLoginModule.java
line 483:
> 481: subject.getPrincipals().remove(GIDPrincipal);
> 482: }
> 483: if (supplementaryGroups != null) {
This line is harmless, but you could take it out as supplementaryGroups is
never null.
src/jdk.security.auth/share/classes/com/sun/security/auth/module/UnixLoginModule.java
line 289:
> 287: subject.getPrincipals().remove(GIDPrincipal);
> 288: }
> 289: if (supplementaryGroups != null) {
This line is harmless, but you could take it out as supplementaryGroups is
never null.
-------------
PR: https://git.openjdk.org/jdk/pull/9348
