CAS 6.x NPE during ticket validation, when using adaptive mfa.

[Pavlos Drandakis]

Hi all,

it seems that in CAS 6.x (tested against latest 6.0.x and 6.1.0-RC4 tree), adaptive mfa flow is triggered also during the ticket validation process. As a consequence, when checking if agent matches the allowed pattern, ticket validation fails with the following NPE, as agent is null

2019-05-27 10:07:42,181 WARN [org.apereo.cas.web.AbstractServiceValidateController] - <null>

[2019-05-27 10:07:42] [info] java.lang.NullPointerException: null[2019-05-27 10:07:42] [info] at org.apereo.cas.authentication.trigger.AdaptiveMultifactorAuthenticationTrigger.checkUserAgentOrClientIp(AdaptiveMultifactorAuthenticationTrigger.java:99) ~[cas-server-core-authentication-mfa-api-6.1.0-RC4-SNAPSHOT.jar:6.1.0-RC4-SNAPSHOT][2019-05-27 10:07:42] [info] at org.apereo.cas.authentication.trigger.AdaptiveMultifactorAuthenticationTrigger.isActivated(AdaptiveMultifactorAuthenticationTrigger.java:87) ~[cas-server-core-authentication-mfa-api-6.1.0-RC4-SNAPSHOT.jar:6.1.0-RC4-SNAPSHOT]

…

By checking if agent is null before calling checkUserAgentOrClientIp (or before checking if agent matches the allowed pattern), the NPE goes away and ticket validation succeeds. However, IMHO, I think that the adaptive mfa flow shouldn’t be triggered at all when accessing ticketing validation endpoints…

Any thoughts?

Thanks in advance,

Pavlos