Anyone been hit by the NPE bug when using JNDIRealm/ActiveDirectory in Tomcat 9.0.46 and have a workaround?
Context
I had to upgrade from 9.0.43 due to a concurrency bug where the socket input stream gets corrupted (and mixing up request bodies) when keep-alive/re-use is enabled. Log was filled with "Error parsing HTTP request header" and "HTTP method names must be tokens 000x000x000x000x000x...", etc. After upgrade to 9.0.46 this issue is resolved but now our ActiveDirectory login is broken instead.
Log
17-May-2021 14:31:49.405 INFO [Catalina-tomcat-workers-thread7] org.apache.catalina.realm.JNDIRealm.authenticate Exception performing authentication. Retrying...
java.lang.NullPointerException
at org.apache.catalina.realm.JNDIRealm.doAttributeValueEscaping(JNDIRealm.java:2884)
at org.apache.catalina.realm.JNDIRealm.getRoles(JNDIRealm.java:1892)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1350)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1232)
at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:191)
at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:191)
at org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:154)
at org.apache.catalina.authenticator.BasicAuthenticator.doAuthenticate(BasicAuthenticator.java:101)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:632)
Bug
According to the bug report (https://bz.apache.org/bugzilla/show_bug.cgi?id=65308) there is an issue with userRoleAttribute being empty/null. Guess that won't get released for another 3-4 weeks.
The Tomcat documentation (https://tomcat.apache.org/tomcat-9.0-doc/realm-howto.html#JNDIRealm) says that:
roleSearch - the LDAP search filter for selecting role entries.
It optionally includes pattern replacements "{0}" for the distinguished name and/or "{1}" for the username and/or "{2}" for an attribute from user's directory entry, of the authenticated user.
Use userRoleAttribute to specify the name of the attribute that provides the value for "{2}".
I'm not using "{2}" in the roleSearch attribute so I don't have a need to set userRoleAttribute. I have nevertheless tried to set it to something non-empty, but to no avail.
I need a workaround until such time they release 9.0.47. Any takers?
Since you already did the heavy-lifting of finding a patch, the easiest "workaround" is to patch the class affected by the bug.
You just need to:
JNDIRealm.java
file,$CATALINA_BASE/lib/org/apache/catalina/realm
. Due to the way the common loader is configured, the class files will override the corresponding classes in thecatalina.jar
.