UserConverter NPE when User.authorizations() returns null

Question

UserConverter NPE when User.authorizations() returns null

jpenglert opened this issue a year ago · 4 comments

Version

4.3.7

Context

UserImpl has a default constructor which does not initialize its authorizations field. The UserConverter class expects User.authorizations() to return a non-null value. If an instance of UserImpl is constructed using the default constructor and then later on serialized (since it implements ClusterSerializable) it will result in a NPE when it delegates serialization to UserConverter because UserConverter does not perform a null check.

I encountered this with the Pac4jUser class from org.pac4j:vertx-pac4j which extends UserImpl and implements the default constructor which leaves the authorizations field null. The VertxProfileManager from org.pac4j:vertx-pac4j uses the Pac4jUser default constructor.

Seems like UserConverter should check if User.authorization() returns null before attempting to serialize it.

Do you have a reproducer?

UserConverter.encode(new UserImpl());

Steps to reproduce

Run UserConverter.encode(new UserImpl()); in a unit test

Extra

Answer 1 · 2023-03-22T21:31:37.000Z

I'll make a PR for this.

Answer 2 · 2023-03-22T22:33:46.000Z

See PR #639

Answer 3 · 2023-06-07T15:20:40.000Z

@pmlopes is it possible to get this in a 4.x release? This is blocking an upgrade of one of our microservices from 3.x -> 4.x

Answer 4 · 2023-06-08T13:05:48.000Z

Fixed in #653