This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA® Access Manager Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by RSA Access Manager experts.

RSA Access Manger 5.0.1 Agent for WebLogic generates NullPointerException when processing expired CTSESSION token.

Article Number

000029426

Applies To

RSA Product Set: ClearTrust
RSA Product/Service Type: Access Manager Agent for WebLogic
RSA Version/Condition: 5.0.1
 

Issue

The following exception is generated in the WebLoigc AdminServer.log when processing an expired CTSESSION token.

ERROR [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)']: []-Cannot Create Subject , Exception while JAAS Login
<Nov 12, 2014 1:25:01 PM CST> <Error> <HTTP> <weblogic> <[ServletContext@27608097[app:SSO module:SSO path:/SSO spec-version:2.5]] Servlet failed with Exception
java.lang.NullPointerException
    at weblogic.security.acl.internal.AuthenticatedSubject$1.run(AuthenticatedSubject.java:132)
    at java.security.AccessController.doPrivileged(Native Method)
    at weblogic.security.acl.internal.AuthenticatedSubject.getFromSubject(AuthenticatedSubject.java:127)
    at weblogic.servlet.security.ServletAuthentication.runAs(ServletAuthentication.java:709)
    at com.rsa.cleartrust.weblogic.security.webfilter.CTLoginFilter.doFilter(CTLoginFilter.java:258)

Cause

The  NullPointerException occurs if the WebLogic subject is not set when the WebLogic authenticator processes the request. The RSA Access Manger Agent filter should either set the subject  (if the RSA Access Manager authentication is valid) or redirect the user to the RSA Access Manger error page (if the authentication is invalid).   When processing a token that is expired or invalid, the RSA Access Manager agent normally would invalidate the session and redirect the user to the RSA Access Manager error page.  If another WebLogic filter is in place however the agent may not be able to redirect the user to the error page and session will pass to WebLogic with the security subject unset.  

Resolution

This issue is resoled in hotfix 5.0.1.01 for the RSA Access Manger 5.0 SP1 Agent for WebLogic.  Contact RSA Customer Support and request this hotfix or the latest cumulative hotfix for your platform.   

This hotfix resolves the issue by only attempting to set the WebLogic subject security if the session is valid.

Workaround

Ensure that the RSA Access Manager Agent filter has higher priority than all other filters.   This will allow the agent to redirect the user to the error page in instances where the session is invalid. 

Notes


 
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-13 08:20 AM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.