René's URL Explorer Experiment


Title: NPE in ApiServlet.skip2FAcheckForUser on SAML login when 2FA is disabled (4.22.0.0) · Issue #13172 · apache/cloudstack · GitHub

Open Graph Title: NPE in ApiServlet.skip2FAcheckForUser on SAML login when 2FA is disabled (4.22.0.0) · Issue #13172 · apache/cloudstack

X Title: NPE in ApiServlet.skip2FAcheckForUser on SAML login when 2FA is disabled (4.22.0.0) · Issue #13172 · apache/cloudstack

Description: problem COMPONENT NAME API, SAML SUMMARY Every API request issued after a successful samlSso callback throws a NullPointerException in ApiServlet.skip2FAcheckForUser, because session.getAttribute("2FAuthenticated") returns null and is un...

Open Graph Description: problem COMPONENT NAME API, SAML SUMMARY Every API request issued after a successful samlSso callback throws a NullPointerException in ApiServlet.skip2FAcheckForUser, because session.getAttribute("...

X Description: problem COMPONENT NAME API, SAML SUMMARY Every API request issued after a successful samlSso callback throws a NullPointerException in ApiServlet.skip2FAcheckForUser, because session.getAttribute(&...

Opengraph URL: https://github.com/apache/cloudstack/issues/13172

X: @github

direct link

Domain: github.com


Hey, it has json ld scripts:
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"NPE in ApiServlet.skip2FAcheckForUser on SAML login when 2FA is disabled (4.22.0.0)","articleBody":"### problem\n\n##### COMPONENT NAME\nAPI, SAML\n\n##### SUMMARY\nEvery API request issued after a successful `samlSso` callback throws a `NullPointerException` in `ApiServlet.skip2FAcheckForUser`, because `session.getAttribute(\"2FAuthenticated\")` returns `null` and is unboxed directly to `boolean`. The SAML login flow does not set this session attribute, and the 2FA-disabled global settings are not consulted before the unboxing.\n\nLocal username/password login is unaffected — only the SAML path triggers the NPE.\n\n##### STEPS TO REPRODUCE\n1. Enable SAML2 plugin and configure an IdP (Keycloak in our case).\n2. Ensure `enable.user.2fa=false` and `mandate.user.2fa=false`.\n3. Authorize a CloudStack user for SAML via `authorizeSamlSso`.\n4. Click \"Login with SSO\" → authenticate at IdP → redirected back to `/client/api?command=samlSso`.\n5. Browser immediately fires follow-up API call (e.g. `listIdps`, `login`, etc.).\n\n##### EXPECTED RESULTS\nThe follow-up API request completes; user lands on the dashboard. A `null` value for the `2FAuthenticated` session attribute should be treated as \"2FA not required / not completed\" rather than dereferenced as a `boolean`.\n\n##### ACTUAL RESULTS\nUse cannot login via SAML:\n\n```java\n2026-05-17 10:22:39,650 ERROR [c.c.a.ApiServlet] (qtp1047478056-364:[ctx-50e47dca]) (logid:59e6408b) unknown exception writing api response java.lang.NullPointerException: Cannot invoke \"java.lang.Boolean.booleanValue()\" because the return value of \"javax.servlet.http.HttpSession.getAttribute(String)\" is null\n        at com.cloud.api.ApiServlet.skip2FAcheckForUser(ApiServlet.java:512)\n        at com.cloud.api.ApiServlet.processRequestInContext(ApiServlet.java:361)\n        at com.cloud.api.ApiServlet$1.run(ApiServlet.java:193)\n        at org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:56)\n        at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:103)\n        at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:53)\n        at com.cloud.api.ApiServlet.processRequest(ApiServlet.java:190)\n        at com.cloud.api.ApiServlet.doPost(ApiServlet.java:149)\n        at javax.servlet.http.HttpServlet.service(HttpServlet.java:665)\n        at javax.servlet.http.HttpServlet.service(HttpServlet.java:750)\n        ... (Jetty frames truncated)\n```\n\nClient receives the auth failure / error response, lands back on the login screen.\n\nThis is my first ticket here, so be gentle please!\n\n### versions\n\n4.22.0 on Debian 13.4 via shapeblue\n\ni  cloudstack-common                 4.22.0.0-shapeblue0                  all          A common package which contains files which are shared by several CloudStack packages\nii  cloudstack-management             4.22.0.0-shapeblue0                  all          CloudStack server library\nii  cloudstack-usage                  4.22.0.0-shapeblue0                  all          CloudStack usage monitor\n\nAnd just auto installed java 21 (I know the docs says 17, but I haven't been able to downgrade).\n\nii  default-jdk-headless              2:1.21-76                            amd64        Standard Java or Java compatible Development Kit (headless)\nii  openjdk-21-jdk-headless:amd64     21.0.11+10-1~deb13u2                 amd64        OpenJDK Development Kit (JDK) (headless)\nii  openjdk-21-jre-headless:amd64     21.0.11+10-1~deb13u2                 amd64        OpenJDK Java runtime, using Hotspot JIT (headless)\n\n\n##### CONFIGURATION\n\n- SAML2 plugin enabled (`saml2.enabled=true`)\n- IdP: Keycloak 26.x, realm `lluw`, SAML client with dedicated `uid` mapper (User Property: `email`)\n- 2FA disabled globally: `enable.user.2fa=false`, `mandate.user.2fa=false`\n- Single management server, MySQL backend\n\n### The steps to reproduce the bug\n\n1. Enable SAML2 plugin and configure an IdP (Keycloak in our case).\n2. Ensure `enable.user.2fa=false` and `mandate.user.2fa=false`.\n3. Authorize a CloudStack user for SAML via `authorizeSamlSso`.\n4. Click \"Login with SSO\" → authenticate at IdP → redirected back to `/client/api?command=samlSso`.\n\n5 browser response:\n```xml\n\u003cloginresponse\u003e\n\u003cerrorcode\u003e531\u003c/errorcode\u003e\n\u003cerrortext\u003e\nYour authenticated user is not authorized for SAML Single Sign-On, please contact your administrator\n\u003c/errortext\u003e\n\u003c/loginresponse\u003e\n```\n\n##### LOG response\n\n```java\n2026-05-17 10:22:39,650 ERROR [c.c.a.ApiServlet] (qtp1047478056-364:[ctx-50e47dca]) (logid:59e6408b) unknown exception writing api response java.lang.NullPointerException: Cannot invoke \"java.lang.Boolean.booleanValue()\" because the return value of \"javax.servlet.http.HttpSession.getAttribute(String)\" is null\n        at com.cloud.api.ApiServlet.skip2FAcheckForUser(ApiServlet.java:512)\n        at com.cloud.api.ApiServlet.processRequestInContext(ApiServlet.java:361)\n        at com.cloud.api.ApiServlet$1.run(ApiServlet.java:193)\n        at org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:56)\n        at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:103)\n        at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:53)\n        at com.cloud.api.ApiServlet.processRequest(ApiServlet.java:190)\n        at com.cloud.api.ApiServlet.doPost(ApiServlet.java:149)\n        at javax.servlet.http.HttpServlet.service(HttpServlet.java:665)\n        at javax.servlet.http.HttpServlet.service(HttpServlet.java:750)\n        ... (Jetty frames truncated)\n```\n\n\n\n\n### What to do about it?\n\n### Expected result\n\nThe follow-up API request completes; user lands on the dashboard. A `null` value for the `2FAuthenticated` session attribute should be treated as \"2FA not required / not completed\" rather than dereferenced as a `boolean`.\n\n- `ApiServlet.java:512` reads the `2FAuthenticated` attribute and unboxes without a null check.\n- The SAML auth command (`SAML2LoginAPIAuthenticatorCmd`) creates the session but does not set `2FAuthenticated`.\n- Suggested fix: replace direct unboxing with `Boolean.TRUE.equals(session.getAttribute(\"2FAuthenticated\"))`, or short-circuit when both `enable.user.2fa` and `mandate.user.2fa` are false.","author":{"url":"https://github.com/joltcan","@type":"Person","name":"joltcan"},"datePublished":"2026-05-17T10:32:54.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":3},"url":"https://github.com/13172/cloudstack/issues/13172"}

route-pattern/_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format)
route-controllervoltron_issues_fragments
route-actionissue_layout
fetch-noncev2:0a47bee9-4fcc-73ce-121d-a8b842f70514
current-catalog-service-hash81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114
request-idD586:F61E5:E35327:13A233F:6A4DCCD8
html-safe-noncefc99a55e70413e2ca789ece6d97a3b05061857c9a2381d57d676a96af4bd1028
visitor-payloadeyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJENTg2OkY2MUU1OkUzNTMyNzoxM0EyMzNGOjZBNERDQ0Q4IiwidmlzaXRvcl9pZCI6IjQ0OTI0ODUyNTQ1MTkzMTE1NzYiLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ==
visitor-hmacf5c132234f2e0ad90de6e6f60ff83366b1dea1575c90fce15ed81fc20dccfe23
hovercard-subject-tagissue:4463180716
github-keyboard-shortcutsrepository,issues,copilot
google-site-verificationApib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I
octolytics-urlhttps://collector.github.com/github/collect
analytics-location///voltron/issues_fragments/issue_layout
fb:app_id1401488693436528
apple-itunes-appapp-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/apache/cloudstack/13172/issue_layout
twitter:imagehttps://opengraph.githubassets.com/ffa674d09acfb53e00e046a76807a6758523ec7bf76936e46e2947b7d9dc114c/apache/cloudstack/issues/13172
twitter:cardsummary_large_image
og:imagehttps://opengraph.githubassets.com/ffa674d09acfb53e00e046a76807a6758523ec7bf76936e46e2947b7d9dc114c/apache/cloudstack/issues/13172
og:image:altproblem COMPONENT NAME API, SAML SUMMARY Every API request issued after a successful samlSso callback throws a NullPointerException in ApiServlet.skip2FAcheckForUser, because session.getAttribute("...
og:image:width1200
og:image:height600
og:site_nameGitHub
og:typeobject
og:author:usernamejoltcan
hostnamegithub.com
expected-hostnamegithub.com
None06b8a6144231bf3a234f1c2e9993861e07ce98a905912b114aa386c2d7e84b33
turbo-cache-controlno-preview
go-importgithub.com/apache/cloudstack git https://github.com/apache/cloudstack.git
octolytics-dimension-user_id47359
octolytics-dimension-user_loginapache
octolytics-dimension-repository_id9759448
octolytics-dimension-repository_nwoapache/cloudstack
octolytics-dimension-repository_publictrue
octolytics-dimension-repository_is_forkfalse
octolytics-dimension-repository_network_root_id9759448
octolytics-dimension-repository_network_root_nwoapache/cloudstack
turbo-body-classeslogged-out env-production page-responsive
disable-turbofalse
browser-stats-urlhttps://api.github.com/_private/browser/stats
browser-errors-urlhttps://api.github.com/_private/browser/errors
release1d344bdb7547fe6bca17a59bb2b8aac3dc9532a0
ui-targetfull
theme-color#1e2327
color-schemelight dark

Links:

Skip to contenthttps://github.com/apache/cloudstack/issues/13172#start-of-content
https://github.com/
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fapache%2Fcloudstack%2Fissues%2F13172
GitHub CopilotWrite better code with AIhttps://github.com/features/copilot
GitHub Copilot appDirect agents from issue to mergehttps://github.com/features/ai/github-app
MCP RegistryNewIntegrate external toolshttps://github.com/mcp
ActionsAutomate any workflowhttps://github.com/features/actions
CodespacesInstant dev environmentshttps://github.com/features/codespaces
IssuesPlan and track workhttps://github.com/features/issues
Code ReviewManage code changeshttps://github.com/features/code-review
GitHub Advanced SecurityFind and fix vulnerabilitieshttps://github.com/security/advanced-security
Code securitySecure your code as you buildhttps://github.com/security/advanced-security/code-security
Secret protectionStop leaks before they starthttps://github.com/security/advanced-security/secret-protection
Why GitHubhttps://github.com/why-github
Documentationhttps://docs.github.com
Bloghttps://github.blog
Changeloghttps://github.blog/changelog
Marketplacehttps://github.com/marketplace
View all featureshttps://github.com/features
Enterpriseshttps://github.com/enterprise
Small and medium teamshttps://github.com/team
Startupshttps://github.com/enterprise/startups
Nonprofitshttps://github.com/solutions/industry/nonprofits
App Modernizationhttps://github.com/solutions/use-case/app-modernization
DevSecOpshttps://github.com/solutions/use-case/devsecops
DevOpshttps://github.com/solutions/use-case/devops
CI/CDhttps://github.com/solutions/use-case/ci-cd
View all use caseshttps://github.com/solutions/use-case
Healthcarehttps://github.com/solutions/industry/healthcare
Financial serviceshttps://github.com/solutions/industry/financial-services
Manufacturinghttps://github.com/solutions/industry/manufacturing
Governmenthttps://github.com/solutions/industry/government
View all industrieshttps://github.com/solutions/industry
View all solutionshttps://github.com/solutions
AIhttps://github.com/resources/articles?topic=ai
Software Developmenthttps://github.com/resources/articles?topic=software-development
DevOpshttps://github.com/resources/articles?topic=devops
Securityhttps://github.com/resources/articles?topic=security
View all topicshttps://github.com/resources/articles
Customer storieshttps://github.com/customer-stories
Events & webinarshttps://github.com/resources/events
Ebooks & reportshttps://github.com/resources/whitepapers
Business insightshttps://github.com/solutions/executive-insights
GitHub Skillshttps://skills.github.com
Documentationhttps://docs.github.com
Customer supporthttps://support.github.com
Community forumhttps://github.com/orgs/community/discussions
Trust centerhttps://github.com/trust-center
Partnershttps://github.com/partners
View all resourceshttps://github.com/resources
GitHub SponsorsFund open source developershttps://github.com/sponsors
Security Labhttps://securitylab.github.com
Maintainer Communityhttps://maintainers.github.com
Acceleratorhttps://github.com/accelerator
GitHub Starshttps://stars.github.com
Archive Programhttps://archiveprogram.github.com
Topicshttps://github.com/topics
Trendinghttps://github.com/trending
Collectionshttps://github.com/collections
Enterprise platformAI-powered developer platformhttps://github.com/enterprise
GitHub Advanced SecurityEnterprise-grade security featureshttps://github.com/security/advanced-security
Copilot for BusinessEnterprise-grade AI featureshttps://github.com/features/copilot/copilot-business
Premium SupportEnterprise-grade 24/7 supporthttps://github.com/premium-support
Pricinghttps://github.com/pricing
Search syntax tipshttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
documentationhttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
Sign in https://github.com/login?return_to=https%3A%2F%2Fgithub.com%2Fapache%2Fcloudstack%2Fissues%2F13172
Sign up https://github.com/signup?ref_cta=Sign+up&ref_loc=header+logged+out&ref_page=%2F%3Cuser-name%3E%2F%3Crepo-name%3E%2Fvoltron%2Fissues_fragments%2Fissue_layout&source=header-repo&source_repo=apache%2Fcloudstack
Reloadhttps://github.com/apache/cloudstack/issues/13172
Reloadhttps://github.com/apache/cloudstack/issues/13172
Reloadhttps://github.com/apache/cloudstack/issues/13172
Please reload this pagehttps://github.com/apache/cloudstack/issues/13172
apache https://github.com/apache
cloudstackhttps://github.com/apache/cloudstack
Notifications https://github.com/login?return_to=%2Fapache%2Fcloudstack
Fork 1.3k https://github.com/login?return_to=%2Fapache%2Fcloudstack
Star 3k https://github.com/login?return_to=%2Fapache%2Fcloudstack
Code https://github.com/apache/cloudstack
Issues 536 https://github.com/apache/cloudstack/issues
Pull requests 268 https://github.com/apache/cloudstack/pulls
Discussions https://github.com/apache/cloudstack/discussions
Actions https://github.com/apache/cloudstack/actions
Projects https://github.com/apache/cloudstack/projects
Wiki https://github.com/apache/cloudstack/wiki
Security and quality 0 https://github.com/apache/cloudstack/security
Insights https://github.com/apache/cloudstack/pulse
Code https://github.com/apache/cloudstack
Issues https://github.com/apache/cloudstack/issues
Pull requests https://github.com/apache/cloudstack/pulls
Discussions https://github.com/apache/cloudstack/discussions
Actions https://github.com/apache/cloudstack/actions
Projects https://github.com/apache/cloudstack/projects
Wiki https://github.com/apache/cloudstack/wiki
Security and quality https://github.com/apache/cloudstack/security
Insights https://github.com/apache/cloudstack/pulse
Bughttps://github.com/apache/cloudstack/issues?q=type:"Bug"
NPE in ApiServlet.skip2FAcheckForUser on SAML login when 2FA is disabled (4.22.0.0)https://github.com/apache/cloudstack/issues/13172#top
4.22.2https://github.com/apache/cloudstack/milestone/46
https://github.com/joltcan
joltcanhttps://github.com/joltcan
on May 17, 2026https://github.com/apache/cloudstack/issues/13172#issue-4463180716
Bughttps://github.com/apache/cloudstack/issues?q=type:"Bug"
Apache CloudStack BugFest - Issueshttps://github.com/orgs/apache/projects/362
4.22.2No due datehttps://github.com/apache/cloudstack/milestone/46
https://github.com
Termshttps://docs.github.com/site-policy/github-terms/github-terms-of-service
Privacyhttps://docs.github.com/site-policy/privacy-policies/github-privacy-statement
Securityhttps://github.com/security
Statushttps://www.githubstatus.com/
Communityhttps://github.community/
Docshttps://docs.github.com/
Contacthttps://support.github.com?tags=dotcom-footer

Viewport: width=device-width


URLs of crawlers that visited me.