IBM Support

PI69325: OAUTH EMITS NULLPOINTEREXCEPTION WHEN NO STATE PARAMETER IN REQUEST

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • The following error stack might occur when using OAuth:
    [9/13/16 16:44:07:936 EDT] 000000dd ServletWrappe E
    
    com.ibm.ws.webcontainer.servlet.ServletWrapper service
    SRVE0068E: An exception was thrown by one of the service
    methods of the servlet [OAuth20EndpointServlet] in application
    [WebSphereOauth20SP]. Exception created :
    [java.lang.NullPointerException
    at java.net.URLEncoder.encode(URLEncoder.java:225)
    at java.net.URLEncoder.encode(URLEncoder.java:189)
    at
    com.ibm.ws.security.oauth20.form.FormRenderer.renderForm(FormR
    enderer.java:97)
    at
    com.ibm.ws.security.oauth20.web.OAuth20EndpointServlet.renderCon
    sentForm(OAuth20EndpointServlet.java:718)
    at
    com.ibm.ws.security.oauth20.web.OAuth20EndpointServlet.process
    AuthorizationRequest(OAuth20EndpointServlet.java:233)
    

Local fix

  • N/A
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM WebSphere Application Server users of   *
    *                  OAuth                                       *
    ****************************************************************
    * PROBLEM DESCRIPTION: If the OAuth provider receives          *
    *                      a request that does not contain a       *
    *                      state parameter, an NPE may occur.      *
    ****************************************************************
    * RECOMMENDATION:  Install a fix pack or interim fix that      *
    *                  contains this APAR.                         *
    ****************************************************************
    If the OAuth provider receives a request that does not contain
    a state parameter, a NullPointerException may occur. You might
    see an entry like the following in SystemOut.log:
    [9/30/16 9:40:02:411 EDT] 000001af ServletWrappe E
    com.ibm.ws.webcontainer.servlet.ServletWrapper service
    SRVE0068E: An exception was thrown by one of the service
    methods of the servlet [OAuth20EndpointServlet] in application
    [WebSphereOauth20SP]. Exception created :
    [java.lang.NullPointerException
    at java.net.URLEncoder.encode(URLEncoder.java:197)
    at java.net.URLEncoder.encode(URLEncoder.java:161)
    at
    com.ibm.ws.security.oauth20.form.FormRenderer.renderForm(FormRen
    derer.java:97)
    at
    com.ibm.ws.security.oauth20.web.OAuth20EndpointServlet.renderCon
    sentForm(OAuth20EndpointServlet.java:718)
    at
    com.ibm.ws.security.oauth20.web.OAuth20EndpointServlet.processAu
    thorizationRequest(OAuth20EndpointServlet.java:233)
    at
    com.ibm.ws.security.oauth20.web.OAuth20EndpointServlet.doPost(OA
    uth20EndpointServlet.java:158)
    at
    com.ibm.ws.security.oauth20.web.OAuth20EndpointServlet.doGet(OAu
    th20EndpointServlet.java:129)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:575)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
    ...
    

Problem conclusion

  • If there is no state parameter in the OAuth request, a null is
    passed to the URLEncoder.encode method.  Depending on the
    JDK, that method may emit a NullPointerException when it
    receives a null parameter.
    
    The OAuth provider is updated to not attempt to encode the
    state parameter if it does not exist.
    
    When a fix pack containing this APAR is installed, the fix
    will not be active until the installed OAuth application,
    WebSphereOauth20SP.ear, is updated from the
    (WAS_HOME)/installableApps directory.
    
    The fix for this APAR is currently targeted for inclusion in
    fix packs 7.0.0.43, 8.0.0.13, 8.5.5.11 and 9.0.0.2.  Please
    refer to the Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI69325

  • Reported component name

    WEBSPHERE APP S

  • Reported component ID

    5724J0800

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-09-16

  • Closed date

    2016-10-05

  • Last modified date

    2019-01-31

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSPHERE APP S

  • Fixed component ID

    5724J0800

Applicable component levels

  • R700 PSY

       UP

  • R800 PSY

       UP

  • R850 PSY

       UP

  • R900 PSY

       UP



Document information

More support for: WebSphere Application Server
General

Software version: 850

Reference #: PI69325

Modified date: 31 January 2019