0010777: OBContext should be created before authentication check

Description

DAL uses the OBContext object to perform security check. OBContext holds information about the authenticated user.

If some custom authentication manager wants to perform data access through DAL, you get a NPE, because the OBContext is not created yet.

Example of the exception:
148962 [http-8880-1] ERROR org.openbravo.erpCommon.security.Menu - HTTPSecureAppServlet.service() - exception caught:
java.lang.NullPointerException
    at org.openbravo.dal.service.OBDal.checkReadAccess(OBDal.java:400)
    at org.openbravo.dal.service.OBDal.checkReadAccess(OBDal.java:390)
    at org.openbravo.dal.service.OBDal.get(OBDal.java:158)
    at org.openbravo.authentication.basic.AutologonAuthenticationManager.authenticate(AutologonAuthenticationManager.java:64)
    at org.openbravo.base.secureApp.HttpSecureAppServlet.service(HttpSecureAppServlet.java:182)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.openbravo.utils.SessionExpirationFilter.doFilter(SessionExpirationFilter.java:66)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.openbravo.utils.CharsetFilter.doFilter(CharsetFilter.java:35)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.openbravo.dal.core.DalRequestFilter$1.doAction(DalRequestFilter.java:79)
    at org.openbravo.dal.core.ThreadHandler.run(ThreadHandler.java:46)
    at org.openbravo.dal.core.DalRequestFilter.doFilter(DalRequestFilter.java:93)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
    at java.lang.Thread.run(Thread.java:619)

Steps To Reproduce

* Configure the Autologon authentication manager
- Open your Openbravo.properties
- Change the this 2 properties:
  authentication.class=org.openbravo.authentication.basic.AutologonAuthenticationManager
  authentication.autologon.username=Openbravo

* Apply the attached patch
  path -p1 < /path/to/your/AutologonAuthenticationManager.java.diff

* Compile the application and deploy the changes

* Login Openbravo

* Check the application log for a NPE related to org.openbravo.dal.service.OBDal.checkReadAccess

Proposed Solution

* Create the OBContext and set it to system administrator before the authentication

Tags

No tags attached.

Attached Files

AutologonAuthenticationManager.java.diff [^] (1,162 bytes) 2009-09-25 14:10 [Show Content] [Hide Content]

diff --git a/src/org/openbravo/authentication/basic/AutologonAuthenticationManager.java b/src/org/openbravo/authentication/basic/AutologonAuthenticationManager.java
--- a/src/org/openbravo/authentication/basic/AutologonAuthenticationManager.java
+++ b/src/org/openbravo/authentication/basic/AutologonAuthenticationManager.java
@@ -24,7 +24,9 @@
 import org.openbravo.authentication.AuthenticationManager;
 import org.openbravo.base.ConfigParameters;
 import org.openbravo.base.HttpBaseUtils;
+import org.openbravo.dal.service.OBDal;
 import org.openbravo.database.ConnectionProvider;
+import org.openbravo.model.ad.access.User;
 
 /**
  * 
@@ -59,6 +61,9 @@
   public String authenticate(HttpServletRequest request, HttpServletResponse response)
       throws AuthenticationException, ServletException, IOException {
 
+    User u = OBDal.getInstance().get(User.class, "100");
+    System.out.println("Username:" + u.getUsername());
+
     if (m_sUserId == null || m_sUserId.equals("") || m_sUserId.equals("-1")) {
       if (m_sAutologonUsername == null || m_sAutologonUsername.equals("")) {
         throw new AuthenticationException("Autologon user emtpy.");

Relationships [ Relation Graph ] [ Dependency Graph ]

Notes
(0020375) iperdomo (viewer) 2009-09-25 15:01	The patch on the Autologon prints in the standard out (catalina.out) the username with Id 100. Something like: Username:Openbravo Username:Openbravo Username:Openbravo Username:Openbravo If you get this output, means that the issue is fixed.

(0020388) hgbot (developer) 2009-09-28 10:45	Repository: erp/devel/pi Changeset: e6579ce4100fc6c49ef8b28fc6b8fbd24d521212 Author: Iván Perdomo <ivan.perdomo <at> openbravo.com> Date: Mon Sep 28 10:41:51 2009 +0200 URL: http://code.openbravo.com/erp/devel/pi/rev/e6579ce4100fc6c49ef8b28fc6b8fbd24d521212 [^] Fixes issue 10777: Set AdminContext before authentication when is not present --- M src/org/openbravo/base/secureApp/HttpSecureAppServlet.java ---

(0020518) hgbot (developer) 2009-09-29 14:18	Repository: erp/devel/pi-pageddatagrid Changeset: e6579ce4100fc6c49ef8b28fc6b8fbd24d521212 Author: Iván Perdomo <ivan.perdomo <at> openbravo.com> Date: Mon Sep 28 10:41:51 2009 +0200 URL: http://code.openbravo.com/erp/devel/pi-pageddatagrid/rev/e6579ce4100fc6c49ef8b28fc6b8fbd24d521212 [^] Fixes issue 10777: Set AdminContext before authentication when is not present --- M src/org/openbravo/base/secureApp/HttpSecureAppServlet.java ---

(0021160) mtaal (viewer) 2009-10-19 11:12	Issue closed

Issue History
Date Modified	Username	Field	Change
2009-09-25 14:10	iperdomo	New Issue
2009-09-25 14:10	iperdomo	Assigned To	=> iperdomo
2009-09-25 14:10	iperdomo	File Added: AutologonAuthenticationManager.java.diff
2009-09-25 14:10	iperdomo	OBNetwork customer	=> No
2009-09-25 14:11	iperdomo	Priority	high => urgent
2009-09-25 14:11	iperdomo	Status	new => scheduled
2009-09-25 14:11	iperdomo	fix_in_branch	=> pi
2009-09-25 15:01	iperdomo	Note Added: 0020375
2009-09-25 16:14	shuehner	Issue Monitored: shuehner
2009-09-28 10:45	hgbot	Checkin
2009-09-28 10:45	hgbot	Note Added: 0020388
2009-09-28 10:45	hgbot	Status	scheduled => resolved
2009-09-28 10:45	hgbot	Resolution	open => fixed
2009-09-28 10:45	hgbot	Fixed in SCM revision	=> http://code.openbravo.com/erp/devel/pi/rev/e6579ce4100fc6c49ef8b28fc6b8fbd24d521212 [^]
2009-09-29 14:18	hgbot	Checkin
2009-09-29 14:18	hgbot	Note Added: 0020518
2009-09-29 14:18	hgbot	Fixed in SCM revision	http://code.openbravo.com/erp/devel/pi/rev/e6579ce4100fc6c49ef8b28fc6b8fbd24d521212 [^] => http://code.openbravo.com/erp/devel/pi-pageddatagrid/rev/e6579ce4100fc6c49ef8b28fc6b8fbd24d521212 [^]
2009-10-19 11:12	mtaal	Status	resolved => closed
2009-10-19 11:12	mtaal	Note Added: 0021160
2009-10-19 11:12	mtaal	Fixed in Version	=> 2.50MP7
2009-10-20 00:00	anonymous	sf_bug_id	0 => 2882005