Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Assert WebSession is not null #14977

Closed
wants to merge 1 commit into from
Closed

Assert WebSession is not null #14977

wants to merge 1 commit into from

Conversation

dukbong
Copy link
Contributor

@dukbong dukbong commented Apr 27, 2024
edited
Loading

Original Code:

The getAuthorizedClients method retrieves a map of OAuth2 authorized clients from a WebSession. In the original code, if the session is null, the method assigns a default empty HashMap. This code does not explicitly assert that WebSession cannot be null, potentially leading to silent failures or unexpected behavior.

Closes #14975

Suggested Refactoring:

To ensure robustness and improve error handling, you can refactor the method by adding an assertion to prevent a null session. This approach uses Assert.notNull to raise an exception with a clear error message if the WebSession is null, helping developers quickly identify and fix the problem.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Apr 27, 2024
@dukbong dukbong changed the title Improving Code Readability and Efficiency: Refactoring Redundant Conditionals Improving Null Safety and Code Consistency: Refactoring getAuthorizedClients(WebSession session) Apr 27, 2024
@dukbong dukbong changed the title Improving Null Safety and Code Consistency: Refactoring getAuthorizedClients(WebSession session) Bugfix Null Safety and Code Consistency: Refactoring getAuthorizedClients(WebSession session) Apr 28, 2024
@sjohnr
Copy link
Member

sjohnr commented May 2, 2024

Hi @dukbong, thanks for the PR!

Just a heads up, I closed the original issue with this explanation. I appreciate what you're doing in this change by asserting the session cannot be null. I'm wondering though if this change is absolutely necessary?

This code does not explicitly assert that WebSession cannot be null, potentially leading to silent failures or unexpected behavior.

Can you explain the situation in which this would occur (other than the invalid configuration referred to in the original issue)?

@sjohnr sjohnr self-assigned this May 2, 2024
@dukbong
Copy link
Contributor Author

dukbong commented May 2, 2024
edited
Loading

Hi @dukbong, thanks for the PR!

Just a heads up, I closed the original issue with this explanation. I appreciate what you're doing in this change by asserting the session cannot be null. I'm wondering though if this change is absolutely necessary?

This code does not explicitly assert that WebSession cannot be null, potentially leading to silent failures or unexpected behavior.

Can you explain the situation in which this would occur (other than the invalid configuration referred to in the original issue)?

Hi @sjohnr

Initially, I planned to submit a pull request to address the issue, but as I reviewed the code, I found the structure to be questionable, prompting a change in direction.

The getAuthorizedClient function is written with the assumption that the session might be null.
However, if the session is null, this leads to an exception in the saveAuthorizedClient function.
To prevent this, I believe it's better to ensure the session isn't null either in the getAuthorizedClient function or in the doOnSuccess block.

Based on these observations, I created a pull request to address the issue.

  • Your feedback is invaluable for my growth and learning.

sjohnr
sjohnr requested changes May 3, 2024
View reviewed changes
Copy link
Member

@sjohnr sjohnr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @dukbong. In addition to the feedback inline below, can you please add a test that asserts an IllegalArgumentException is thrown when WebSession is null?

...work/security/oauth2/client/web/server/WebSessionServerOAuth2AuthorizedClientRepository.java Outdated Show resolved Hide resolved
...work/security/oauth2/client/web/server/WebSessionServerOAuth2AuthorizedClientRepository.java Show resolved Hide resolved
...work/security/oauth2/client/web/server/WebSessionServerOAuth2AuthorizedClientRepository.java Outdated Show resolved Hide resolved
...work/security/oauth2/client/web/server/WebSessionServerOAuth2AuthorizedClientRepository.java Outdated Show resolved Hide resolved
@dukbong
Copy link
Contributor Author

dukbong commented May 3, 2024

Thanks for the PR @dukbong. In addition to the feedback inline below, can you please add a test that asserts an IllegalArgumentException is thrown when WebSession is null?

Thanks @sjohnr for agreeing with my feedback.
I will make the changes and additions as per the comments below!

@dukbong dukbong requested a review from sjohnr May 3, 2024 17:10
sjohnr
sjohnr reviewed May 6, 2024
View reviewed changes
Copy link
Member

@sjohnr sjohnr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @dukbong. I added one minor comment below. Can you also please rebase your changes on main and squash commits? I will schedule this to be merged in the next minor so you won't see it merged for a few weeks.

...work/security/oauth2/client/web/server/WebSessionServerOAuth2AuthorizedClientRepository.java Show resolved Hide resolved
@sjohnr sjohnr added type: enhancement A general enhancement in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels May 6, 2024
@dukbong
Code Refactory
c343da1 
refactory

NPE

message & checkStyle & newline Remove

Write Test Code

Change test case name from Empty to Null

SuppressWarnings unchecked apply
@dukbong
Copy link
Contributor Author

dukbong commented May 7, 2024

Thanks @dukbong. I added one minor comment below. Can you also please rebase your changes on main and squash commits? I will schedule this to be merged in the next minor so you won't see it merged for a few weeks.

Hello. @sjohnr

As you suggested, I rebased onto the main branch and squashed the commits into one.

If there's anything I did wrong or need to correct, please let me know!
I'll fix it right away!!

@sjohnr sjohnr added this to the 6.4.0-M1 milestone May 8, 2024
@sjohnr sjohnr added type: bug A general bug and removed type: enhancement A general enhancement labels May 29, 2024
@sjohnr sjohnr changed the title Bugfix Null Safety and Code Consistency: Refactoring getAuthorizedClients(WebSession session) Assert WebSession is not null May 29, 2024
sjohnr added a commit that referenced this pull request May 29, 2024
@sjohnr
Polish gh-14977
e34621e
@sjohnr
Copy link
Member

sjohnr commented May 29, 2024
edited
Loading

Thanks @dukbong, this is now merged into 5.8.x as 1695d03. I did apply a polish commit with some adjustments because I didn't run the build to see checkstyle and other build output, so check out e34621e and let me know if you have questions.

@sjohnr sjohnr closed this May 29, 2024
@sjohnr sjohnr modified the milestones: 6.4.0-M1, 5.8.13 May 29, 2024
@sjohnr sjohnr mentioned this pull request May 29, 2024
Closed
@dukbong dukbong deleted the refactory branch June 12, 2024 12:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sjohnr sjohnr sjohnr requested changes

Assignees

@sjohnr sjohnr

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: bug A general bug
Projects
Spring Security Team
Status: Done
Milestone
5.8.13
Development

Successfully merging this pull request may close these issues.

WebSessionServerOAuth2AuthorizedClientRepository throws NPE when session is null
3 participants
@dukbong @sjohnr @spring-projects-issues