Exception in elytron with wildlfy 35.0.1

[Mike Douglass]

I'm seeing this exception running tests using selenium on wildfly 35.0.1. These test rans succesfully on wildfly 26.x

Access log:

- - - [[05/Mar/2025:17:17:24 -0500]] "GET /eventsubmit/event/initPendingEvents.do?b=de&listMode=true&searchLimits=none&fexpr=(colPath="%2Fpublic%2Funbrowsable%2Fsubmissions%2Fsubmissions") HTTP/1.1" 500 11419 "http://localhost:8080/eventsubmit/main/showMain.rdo" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Gecko/20100101 Firefox/135.0"

Exception:

2025-03-05 17:17:24,929 ERROR [io.undertow.request] (default task-9) UT005023: Exception handling request to /eventsubmit/event/initPendingEvents.do: java.lang.NullPointerException: Cannot invoke "java.net.URI.toString()" because the return value of "org.wildfly.security.http.HttpServerRequest.getRequestURI()" is null
at org.wildfly.ex...@27.0.1.Final//org.wildfly.extension.elytron.HttpServerDefinitions.lambda$getRequestInformationHashMap$0(HttpServerDefinitions.java:244)
at org.wildfly.secu...@2.6.0.Final//org.wildfly.security.http.util.SetRequestInformationCallbackMechanismFactory$1.evaluateRequest(SetRequestInformationCallbackMechanismFactory.java:77)
at org.wildfly.secu...@2.6.0.Final//org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:85)
at org.wildfly.secu...@2.6.0.Final//org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:326)
at org.wildfly.secu...@2.6.0.Final//org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$800(HttpAuthenticator.java:296)
at org.wildfly.secu...@2.6.0.Final//org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:93)
at org.wildfly.security.ely...@4.1.0.Final//org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:107)
at org.wildfly.security.elytron...@4.1.0.Final//org.wildfly.elytron.web.undertow.server.servlet.ServletSecurityContextImpl.authenticate(ServletSecurityContextImpl.java:117)
...

It seems to be reproducible by rerunning the tests but I currently have no idea what's causing it. It at least seems to suggest a check for null might be appropriate somewhere.

What would cause:

value of "org.wildfly.security.http.HttpServerRequest.getRequestURI()" is null?

[Bartosz Baranowski]

Hey Mike

Can you please attach either reproducer or detailed step by step guide how to reproduce?

[Michael Douglass]

On 3/10/25 04:02, Bartosz Baranowski wrote:

Hey Mike

Can you please attach either reproducer or detailed step by step guide how to reproduce?

I'm hoping to track it down. It's one of a number of failures i started t get after th eupgrade from wildfly 26 to 35. Surprised that any activity from my end would cause an npe.

At the moment I'm tracking down a hibernate "Found shared references to a collection" which just turned up. Presumably part of the move to hibernate 6.

--
You received this message because you are subscribed to the Google Groups "WildFly" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wildfly+u...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wildfly/b00645d7-e512-4f29-bc08-d82e34f81d09n%40googlegroups.com.

[Yuri Ne]

Hi guys.

Found this thread while investigating the same error I got in JBoss 7.4.20 after upgrade from 7.4.15.

Had to debug and found that in my case this is caused by presense of [ char in query string of a GET request.

Came to a conclusion it's a JBoss behavior change in undertow-server-1.9.4.Final.

org.wildfly.elytron.web.undertow.server.ElytronHttpExchange#getRequestURI reconstructs URI from pieces and then creates java.net.URI which throws exception saying "Illegal character in query at index ...". The exception is caught and null is returned.

It was really difficult to find this, hope this helps.

--

[Yuri Ne]

Or maybe not a behavior change, now I realized it's ElytronHttpExchange class and my project just switched to Elytron along with this upgrade. So this code might be there long ago.

Correcting myself: char was { , but basically it can be any invalid query string. In original example it's 2nd = here fexpr=(colPath=

Per this https://access.redhat.com/solutions/2891171 I suppose it should've been 400 Bad Request instead of 500 NPE.

[Michael Douglass]

On 3/11/25 19:00, 'Yuri Ne' via WildFly wrote:

Or maybe not a behavior change, now I realized it's ElytronHttpExchange class and my project just switched to Elytron along with this upgrade. So this code might be there long ago.

Correcting myself: char was { , but basically it can be any invalid query string. In original example it's 2nd = here fexpr=(colPath=

Spot on - set a breakpoint and things were exactly as you outlined below.

It's true - that second '=' should be encoded. This has been around since before wildfly and there are other calls in the access log with the same format - none of which cause any issues - so a bit confusing.

Definitely should be bad request.

Thanks for the pointer

--

You received this message because you are subscribed to the Google Groups "WildFly" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wildfly+u...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/wildfly/050ad4cf-80c6-4ae1-bf7c-daaaa1cebbc3n%40googlegroups.com.

[Aaron Ogburn]

This is a known issue being tracked by:

Wildfly: https://issues.redhat.com/browse/WFLY-20433

EAP 8.1: https://issues.redhat.com/browse/JBEAP-29572

EAP 8.0: https://issues.redhat.com/browse/JBEAP-29571

EAP 7.4: https://issues.redhat.com/browse/JBEAP-29573

[Mike Douglass]

This bug still seems to be present in wildfly 36.

This url

GET /eventsubmit/event/initPendingEvents.do?b=de&listMode=true&searchLimits=none&fexpr=(colPath%3d%22%2Fpublic%2Funbrowsable%2Fsubmissions%2Fsubmissions%22) HTTP/1.1

which appears in the log as

- - - [[17/Apr/2025:12:41:54 -0400]] "GET /eventsubmit/event/initPendingEvents.do?b=de&listMode=true&searchLimits=none&fexpr=(colPath="%2Fpublic%2Funbrowsable%2Fsubmissions%2Fsubmissions") HTTP/1.1" 500 11419 "http://localhost:8080/eventsubmit/main/showMain.rdo?refreshXslt=yes" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:137.0) Gecko/20100101 Firefox/137.0"

(Note the unencoded '=' in the fexpr parameter value

causes the same exception.

Apparently it's fixed according to https://issues.redhat.com/browse/ELYWEB-252

Presumably it needs a later elytron?

[Aaron Ogburn]

The fix was committed to Elytron Web.  It's still an open task to then update to a newer fixed Elytron Web in wildfly core (which will then be released in a new wildfly):

https://issues.redhat.com/browse/WFCORE-7219

You received this message because you are subscribed to a topic in the Google Groups "WildFly" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wildfly/Bt1o0jXdhiQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wildfly+u...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wildfly/bd16c106-f8f4-4d38-98a3-2e1a4071b462n%40googlegroups.com.

[Mike Douglass]

Any chance this can be in a 36.0.1 release?

I downloaded and installed undertow-server-servlet-4.1.2.Final.jar and undertow-server-4.1.2.Final.jar in my installed 36.0.0 and the problem does appear to be fixed.

Thank you