Title: NPE in ApiServlet.skip2FAcheckForUser on SAML login when 2FA is disabled (4.22.0.0) · Issue #13172 · apache/cloudstack · GitHub
Open Graph Title: NPE in ApiServlet.skip2FAcheckForUser on SAML login when 2FA is disabled (4.22.0.0) · Issue #13172 · apache/cloudstack
X Title: NPE in ApiServlet.skip2FAcheckForUser on SAML login when 2FA is disabled (4.22.0.0) · Issue #13172 · apache/cloudstack
Description: problem COMPONENT NAME API, SAML SUMMARY Every API request issued after a successful samlSso callback throws a NullPointerException in ApiServlet.skip2FAcheckForUser, because session.getAttribute("2FAuthenticated") returns null and is un...
Open Graph Description: problem COMPONENT NAME API, SAML SUMMARY Every API request issued after a successful samlSso callback throws a NullPointerException in ApiServlet.skip2FAcheckForUser, because session.getAttribute("...
X Description: problem COMPONENT NAME API, SAML SUMMARY Every API request issued after a successful samlSso callback throws a NullPointerException in ApiServlet.skip2FAcheckForUser, because session.getAttribute(&...
Opengraph URL: https://github.com/apache/cloudstack/issues/13172
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"NPE in ApiServlet.skip2FAcheckForUser on SAML login when 2FA is disabled (4.22.0.0)","articleBody":"### problem\n\n##### COMPONENT NAME\nAPI, SAML\n\n##### SUMMARY\nEvery API request issued after a successful `samlSso` callback throws a `NullPointerException` in `ApiServlet.skip2FAcheckForUser`, because `session.getAttribute(\"2FAuthenticated\")` returns `null` and is unboxed directly to `boolean`. The SAML login flow does not set this session attribute, and the 2FA-disabled global settings are not consulted before the unboxing.\n\nLocal username/password login is unaffected — only the SAML path triggers the NPE.\n\n##### STEPS TO REPRODUCE\n1. Enable SAML2 plugin and configure an IdP (Keycloak in our case).\n2. Ensure `enable.user.2fa=false` and `mandate.user.2fa=false`.\n3. Authorize a CloudStack user for SAML via `authorizeSamlSso`.\n4. Click \"Login with SSO\" → authenticate at IdP → redirected back to `/client/api?command=samlSso`.\n5. Browser immediately fires follow-up API call (e.g. `listIdps`, `login`, etc.).\n\n##### EXPECTED RESULTS\nThe follow-up API request completes; user lands on the dashboard. A `null` value for the `2FAuthenticated` session attribute should be treated as \"2FA not required / not completed\" rather than dereferenced as a `boolean`.\n\n##### ACTUAL RESULTS\nUse cannot login via SAML:\n\n```java\n2026-05-17 10:22:39,650 ERROR [c.c.a.ApiServlet] (qtp1047478056-364:[ctx-50e47dca]) (logid:59e6408b) unknown exception writing api response java.lang.NullPointerException: Cannot invoke \"java.lang.Boolean.booleanValue()\" because the return value of \"javax.servlet.http.HttpSession.getAttribute(String)\" is null\n at com.cloud.api.ApiServlet.skip2FAcheckForUser(ApiServlet.java:512)\n at com.cloud.api.ApiServlet.processRequestInContext(ApiServlet.java:361)\n at com.cloud.api.ApiServlet$1.run(ApiServlet.java:193)\n at org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:56)\n at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:103)\n at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:53)\n at com.cloud.api.ApiServlet.processRequest(ApiServlet.java:190)\n at com.cloud.api.ApiServlet.doPost(ApiServlet.java:149)\n at javax.servlet.http.HttpServlet.service(HttpServlet.java:665)\n at javax.servlet.http.HttpServlet.service(HttpServlet.java:750)\n ... (Jetty frames truncated)\n```\n\nClient receives the auth failure / error response, lands back on the login screen.\n\nThis is my first ticket here, so be gentle please!\n\n### versions\n\n4.22.0 on Debian 13.4 via shapeblue\n\ni cloudstack-common 4.22.0.0-shapeblue0 all A common package which contains files which are shared by several CloudStack packages\nii cloudstack-management 4.22.0.0-shapeblue0 all CloudStack server library\nii cloudstack-usage 4.22.0.0-shapeblue0 all CloudStack usage monitor\n\nAnd just auto installed java 21 (I know the docs says 17, but I haven't been able to downgrade).\n\nii default-jdk-headless 2:1.21-76 amd64 Standard Java or Java compatible Development Kit (headless)\nii openjdk-21-jdk-headless:amd64 21.0.11+10-1~deb13u2 amd64 OpenJDK Development Kit (JDK) (headless)\nii openjdk-21-jre-headless:amd64 21.0.11+10-1~deb13u2 amd64 OpenJDK Java runtime, using Hotspot JIT (headless)\n\n\n##### CONFIGURATION\n\n- SAML2 plugin enabled (`saml2.enabled=true`)\n- IdP: Keycloak 26.x, realm `lluw`, SAML client with dedicated `uid` mapper (User Property: `email`)\n- 2FA disabled globally: `enable.user.2fa=false`, `mandate.user.2fa=false`\n- Single management server, MySQL backend\n\n### The steps to reproduce the bug\n\n1. Enable SAML2 plugin and configure an IdP (Keycloak in our case).\n2. Ensure `enable.user.2fa=false` and `mandate.user.2fa=false`.\n3. Authorize a CloudStack user for SAML via `authorizeSamlSso`.\n4. Click \"Login with SSO\" → authenticate at IdP → redirected back to `/client/api?command=samlSso`.\n\n5 browser response:\n```xml\n\u003cloginresponse\u003e\n\u003cerrorcode\u003e531\u003c/errorcode\u003e\n\u003cerrortext\u003e\nYour authenticated user is not authorized for SAML Single Sign-On, please contact your administrator\n\u003c/errortext\u003e\n\u003c/loginresponse\u003e\n```\n\n##### LOG response\n\n```java\n2026-05-17 10:22:39,650 ERROR [c.c.a.ApiServlet] (qtp1047478056-364:[ctx-50e47dca]) (logid:59e6408b) unknown exception writing api response java.lang.NullPointerException: Cannot invoke \"java.lang.Boolean.booleanValue()\" because the return value of \"javax.servlet.http.HttpSession.getAttribute(String)\" is null\n at com.cloud.api.ApiServlet.skip2FAcheckForUser(ApiServlet.java:512)\n at com.cloud.api.ApiServlet.processRequestInContext(ApiServlet.java:361)\n at com.cloud.api.ApiServlet$1.run(ApiServlet.java:193)\n at org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:56)\n at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:103)\n at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:53)\n at com.cloud.api.ApiServlet.processRequest(ApiServlet.java:190)\n at com.cloud.api.ApiServlet.doPost(ApiServlet.java:149)\n at javax.servlet.http.HttpServlet.service(HttpServlet.java:665)\n at javax.servlet.http.HttpServlet.service(HttpServlet.java:750)\n ... (Jetty frames truncated)\n```\n\n\n\n\n### What to do about it?\n\n### Expected result\n\nThe follow-up API request completes; user lands on the dashboard. A `null` value for the `2FAuthenticated` session attribute should be treated as \"2FA not required / not completed\" rather than dereferenced as a `boolean`.\n\n- `ApiServlet.java:512` reads the `2FAuthenticated` attribute and unboxes without a null check.\n- The SAML auth command (`SAML2LoginAPIAuthenticatorCmd`) creates the session but does not set `2FAuthenticated`.\n- Suggested fix: replace direct unboxing with `Boolean.TRUE.equals(session.getAttribute(\"2FAuthenticated\"))`, or short-circuit when both `enable.user.2fa` and `mandate.user.2fa` are false.","author":{"url":"https://github.com/joltcan","@type":"Person","name":"joltcan"},"datePublished":"2026-05-17T10:32:54.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":3},"url":"https://github.com/13172/cloudstack/issues/13172"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:0a47bee9-4fcc-73ce-121d-a8b842f70514 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | D586:F61E5:E35327:13A233F:6A4DCCD8 |
| html-safe-nonce | fc99a55e70413e2ca789ece6d97a3b05061857c9a2381d57d676a96af4bd1028 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJENTg2OkY2MUU1OkUzNTMyNzoxM0EyMzNGOjZBNERDQ0Q4IiwidmlzaXRvcl9pZCI6IjQ0OTI0ODUyNTQ1MTkzMTE1NzYiLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ== |
| visitor-hmac | f5c132234f2e0ad90de6e6f60ff83366b1dea1575c90fce15ed81fc20dccfe23 |
| hovercard-subject-tag | issue:4463180716 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/apache/cloudstack/13172/issue_layout |
| twitter:image | https://opengraph.githubassets.com/ffa674d09acfb53e00e046a76807a6758523ec7bf76936e46e2947b7d9dc114c/apache/cloudstack/issues/13172 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/ffa674d09acfb53e00e046a76807a6758523ec7bf76936e46e2947b7d9dc114c/apache/cloudstack/issues/13172 |
| og:image:alt | problem COMPONENT NAME API, SAML SUMMARY Every API request issued after a successful samlSso callback throws a NullPointerException in ApiServlet.skip2FAcheckForUser, because session.getAttribute("... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | joltcan |
| hostname | github.com |
| expected-hostname | github.com |
| None | 06b8a6144231bf3a234f1c2e9993861e07ce98a905912b114aa386c2d7e84b33 |
| turbo-cache-control | no-preview |
| go-import | github.com/apache/cloudstack git https://github.com/apache/cloudstack.git |
| octolytics-dimension-user_id | 47359 |
| octolytics-dimension-user_login | apache |
| octolytics-dimension-repository_id | 9759448 |
| octolytics-dimension-repository_nwo | apache/cloudstack |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 9759448 |
| octolytics-dimension-repository_network_root_nwo | apache/cloudstack |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 1d344bdb7547fe6bca17a59bb2b8aac3dc9532a0 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width