KNOX-3232: Handle pac4j cookies with "null" value (#1132)

bonampak · web-flow · commit 63f78bd15bf2 · 2025-12-16T15:22:46.000+01:00
diff --git a/gateway-provider-security-pac4j/src/main/java/org/apache/knox/gateway/pac4j/session/KnoxSessionStore.java b/gateway-provider-security-pac4j/src/main/java/org/apache/knox/gateway/pac4j/session/KnoxSessionStore.java
@@ -105,7 +105,7 @@ public Optional<String> getSessionId(WebContext context, boolean createSession)
     }
 
     private Object uncompressDecryptBase64(final String v) {
-        if (v != null && !v.isEmpty()) {
+        if (v != null && !v.isEmpty() && !"null".equals(v)) {
             byte[] bytes = Base64.decodeBase64(v);
             EncryptionResult result = EncryptionResult.fromByteArray(bytes);
             byte[] clear = cryptoService.decryptForCluster(this.clusterName,
diff --git a/gateway-provider-security-pac4j/src/test/java/org/apache/knox/gateway/pac4j/session/KnoxSessionStoreTest.java b/gateway-provider-security-pac4j/src/test/java/org/apache/knox/gateway/pac4j/session/KnoxSessionStoreTest.java
@@ -19,18 +19,21 @@
 
 import org.apache.knox.gateway.services.security.AliasService;
 import org.apache.knox.gateway.services.security.AliasServiceException;
+import org.apache.knox.gateway.services.security.CryptoService;
 import org.apache.knox.gateway.services.security.impl.DefaultCryptoService;
 import org.easymock.Capture;
 import org.easymock.EasyMock;
 import org.junit.Assert;
 import org.junit.Test;
+import org.pac4j.core.context.Cookie;
 import org.pac4j.core.profile.CommonProfile;
 import org.pac4j.core.util.Pac4jConstants;
 import org.pac4j.jee.context.JEEContext;
 import org.pac4j.saml.profile.SAML2Profile;
 
 import javax.servlet.http.HttpServletResponse;
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
@@ -44,6 +47,7 @@
 import static org.apache.knox.gateway.pac4j.filter.Pac4jDispatcherFilter.PAC4J_SESSION_STORE_EXCLUDE_ROLES;
 import static org.apache.knox.gateway.pac4j.filter.Pac4jDispatcherFilter.PAC4J_SESSION_STORE_EXCLUDE_ROLES_DEFAULT;
 import static org.apache.knox.gateway.pac4j.session.KnoxSessionStore.PAC4J_PASSWORD;
+import static org.apache.knox.gateway.pac4j.session.KnoxSessionStore.PAC4J_SESSION_PREFIX;
 
 public class KnoxSessionStoreTest {
   private static final String CLUSTER_NAME = "knox";
@@ -158,4 +162,20 @@ public void filterConfigParamsTest()
     Assert.assertNotNull(samlProfile.getAttribute("https://knox.apache.org/SAML/Attributes/groups"));
     Assert.assertNotNull(samlProfile.getAttribute("https://knox.apache.org/SAML/Attributes/groups2"));
   }
+
+  @Test
+  public void testNullCookieValue() throws AliasServiceException {
+    final CryptoService cryptoService = EasyMock.createNiceMock(CryptoService.class);
+    final Map<String, String> sessionStoreConfigs = new HashMap<>();
+
+    final JEEContext mockContext = EasyMock.createNiceMock(JEEContext.class);
+    final String keyWithNullValue = "keyWithNullValue";
+    Cookie cookie = new Cookie(PAC4J_SESSION_PREFIX + keyWithNullValue, "null");
+    EasyMock.expect(mockContext.getRequestCookies()).andReturn(Collections.singletonList(cookie));
+    EasyMock.replay(mockContext);
+
+    final KnoxSessionStore sessionStore = new KnoxSessionStore(cryptoService, CLUSTER_NAME, null, sessionStoreConfigs);
+    Assert.assertTrue(sessionStore.get(mockContext, keyWithNullValue).isEmpty());
+  }
+
 }

Original file line number	Diff line number	Diff line change
`@@ -105,7 +105,7 @@ public Optional<String> getSessionId(WebContext context, boolean createSession)`
`105`	`105`	`}`
`106`	`106`
`107`	`107`	`private Object uncompressDecryptBase64(final String v) {`
`108`		`- if (v != null && !v.isEmpty()) {`
	`108`	`+ if (v != null && !v.isEmpty() && !"null".equals(v)) {`
`109`	`109`	`byte[] bytes = Base64.decodeBase64(v);`
`110`	`110`	`EncryptionResult result = EncryptionResult.fromByteArray(bytes);`
`111`	`111`	`byte[] clear = cryptoService.decryptForCluster(this.clusterName,`