000029426 - RSA Access Manger 5.0.1 Agent for WebLogic generates NullPointerException when processing expired CTSESSION token.

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029426
Applies ToRSA Product Set: ClearTrust
RSA Product/Service Type: Access Manager Agent for WebLogic
RSA Version/Condition: 5.0.1
IssueThe following exception is generated in the WebLoigc AdminServer.log when processing an expired CTSESSION token.
ERROR [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)']: []-Cannot Create Subject , Exception while JAAS Login
<Nov 12, 2014 1:25:01 PM CST> <Error> <HTTP> <weblogic> <[ServletContext@27608097[app:SSO module:SSO path:/SSO spec-version:2.5]] Servlet failed with Exception
    at weblogic.security.acl.internal.AuthenticatedSubject$1.run(AuthenticatedSubject.java:132)
    at java.security.AccessController.doPrivileged(Native Method)
    at weblogic.security.acl.internal.AuthenticatedSubject.getFromSubject(AuthenticatedSubject.java:127)
    at weblogic.servlet.security.ServletAuthentication.runAs(ServletAuthentication.java:709)
    at com.rsa.cleartrust.weblogic.security.webfilter.CTLoginFilter.doFilter(CTLoginFilter.java:258)
CauseThe  NullPointerException occurs if the WebLogic subject is not set when the WebLogic authenticator processes the request. The RSA Access Manger Agent filter should either set the subject  (if the RSA Access Manager authentication is valid) or redirect the user to the RSA Access Manger error page (if the authentication is invalid).   When processing a token that is expired or invalid, the RSA Access Manager agent normally would invalidate the session and redirect the user to the RSA Access Manager error page.  If another WebLogic filter is in place however the agent may not be able to redirect the user to the error page and session will pass to WebLogic with the security subject unset.  
ResolutionThis issue is resoled in hotfix for the RSA Access Manger 5.0 SP1 Agent for WebLogic.  Contact RSA Customer Support and request this hotfix or the latest cumulative hotfix for your platform.   
This hotfix resolves the issue by only attempting to set the WebLogic subject security if the session is valid.
WorkaroundEnsure that the RSA Access Manager Agent filter has higher priority than all other filters.   This will allow the agent to redirect the user to the error page in instances where the session is invalid.