Fix (APAR):  PI69325

Status:  Fix

Release:  8.5.5.10,8.5.5.9,8.5.5.8,8.5.5.7,8.5.5.6,8.5.5.5,8.5.5.4,8.5.5.3,8.5.5.2

Operating System:  AIX,HP-UX,IBM i,Linux,OS X,Solaris,Windows,z/OS

Supersedes Fixes:  PI29634 PI49272

CMVC Defect:  xxxxxx

Byte size of APAR:  295624

Date: 2016-10-05

Abstract:  oauth emits nullpointerexception when no state parameter in request

Description/symptom of problem:  
PI69325 resolves the following problem:

ERROR DESCRIPTION:                                              
The following error stack might occur when using OAuth:         
[9/13/16 16:44:07:936 EDT] 000000dd ServletWrappe E             
                                                                
com.ibm.ws.webcontainer.servlet.ServletWrapper service          
SRVE0068E: An exception was thrown by one of the service        
methods of the servlet [OAuth20EndpointServlet] in application  
[WebSphereOauth20SP]. Exception created :                       
[java.lang.NullPointerException                                 
at java.net.URLEncoder.encode(URLEncoder.java:225)              
at java.net.URLEncoder.encode(URLEncoder.java:189)              
at                                                              
com.ibm.ws.security.oauth20.form.FormRenderer.renderForm(FormR  
enderer.java:97)                                                
at                                                              
com.ibm.ws.security.oauth20.web.OAuth20EndpointServlet.renderCon
sentForm(OAuth20EndpointServlet.java:718)                       
at                                                              
com.ibm.ws.security.oauth20.web.OAuth20EndpointServlet.process  
AuthorizationRequest(OAuth20EndpointServlet.java:233)           

LOCAL FIX:                                                      
N/A                                                             

PROBLEM SUMMARY

USERS AFFECTED:
 IBM WebSphere Application Server users of
OAuth

PROBLEM DESCRIPTION:
If the OAuth provider receives
a request that does not contain a
state parameter, an NPE may occur.

RECOMMENDATION:
 Install a fix pack or interim fix that
contains this APAR.

If the OAuth provider receives a request that does not contain
a state parameter, a NullPointerException may occur. You might
see an entry like the following in SystemOut.log:
[9/30/16 9:40:02:411 EDT] 000001af ServletWrappe E
com.ibm.ws.webcontainer.servlet.ServletWrapper service
SRVE0068E: An exception was thrown by one of the service
methods of the servlet [OAuth20EndpointServlet] in application
[WebSphereOauth20SP]. Exception created :
[java.lang.NullPointerException
at java.net.URLEncoder.encode(URLEncoder.java:197)
at java.net.URLEncoder.encode(URLEncoder.java:161)
at
com.ibm.ws.security.oauth20.form.FormRenderer.renderForm(FormRen
derer.java:97)
at
com.ibm.ws.security.oauth20.web.OAuth20EndpointServlet.renderCon
sentForm(OAuth20EndpointServlet.java:718)
at
com.ibm.ws.security.oauth20.web.OAuth20EndpointServlet.processAu
thorizationRequest(OAuth20EndpointServlet.java:233)
at
com.ibm.ws.security.oauth20.web.OAuth20EndpointServlet.doPost(OA
uth20EndpointServlet.java:158)
at
com.ibm.ws.security.oauth20.web.OAuth20EndpointServlet.doGet(OAu
th20EndpointServlet.java:129)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:575)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
...

PROBLEM CONCLUSION:                                             
If there is no state parameter in the OAuth request, a null is  
passed to the URLEncoder.encode method.  Depending on the       
JDK, that method may emit a NullPointerException when it        
receives a null parameter.                                      
                                                                
The OAuth provider is updated to not attempt to encode the      
state parameter if it does not exist.                           
                                                                
The fix for this APAR is currently targeted for inclusion in    
fix packs 7.0.0.43, 8.0.0.13, 8.5.5.11 and 9.0.0.2.  Please     
refer to the Recommended Updates page for delivery information: 
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980   


Directions to apply fix:  Fix applies to Editions:
Release 8.5
_X_ Application Server (Express or BASE)
_X_ Network Deployment (ND)
__ Liberty Core
__ Edge Components
__ Developer

Install Fix to all WebSphere installations unless special instructions are included below.

Special Instructions: None

NOTE:
The user must:
* Logged in with the same authority level when unpacking a fix, fix pack or refresh pack.
* Be at V1.4.3 or newer of the Installation Manager. Certain iFixes may require a newer version of the Installation Manager and the Installation Manager will inform you during the installation process if a newer version is required.

The IBM Knowledge Center can provide details, if needed, on the use of the Installation Manager to apply the iFixes.
http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp.  Shutdown WebSphere Application Server before applying the iFixes.  Restart WebSphere Application Server after applying the iFixes.

Directions to remove fix:  

The IBM Knowledge Center can provide details, if needed, on the use of the Installation Manager to remove the iFixes.
http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp.  Shutdown WebSphere Application Server before removing the iFixes.  Restart WebSphere Application Server after removing the iFixes.

Directions to re-apply fix:  
1) Shutdown WebSphere Application Server.

2) Follow the Fix instructions to apply the fix.

3) Restart WebSphere Application Server.



Additional Information: