From 180be7b182d4cfb61be7bc76bf2c980b1c07146a Mon Sep 17 00:00:00 2001
From: Alexander Schwartz <aschwart@redhat.com>
Date: Thu, 19 Dec 2024 18:03:12 +0100
Subject: [PATCH] Avoid NPE when checking exceptions for password based
 Kerberos login

Closes #36061

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
---
 ...KerberosUsernamePasswordAuthenticator.java | 27 ++++++++++++-------
 1 file changed, 17 insertions(+), 10 deletions(-)

diff --git a/federation/kerberos/src/main/java/org/keycloak/federation/kerberos/impl/KerberosUsernamePasswordAuthenticator.java b/federation/kerberos/src/main/java/org/keycloak/federation/kerberos/impl/KerberosUsernamePasswordAuthenticator.java
index 0965924bb31..18f051cde91 100644
--- a/federation/kerberos/src/main/java/org/keycloak/federation/kerberos/impl/KerberosUsernamePasswordAuthenticator.java
+++ b/federation/kerberos/src/main/java/org/keycloak/federation/kerberos/impl/KerberosUsernamePasswordAuthenticator.java
@@ -102,21 +102,28 @@ public class KerberosUsernamePasswordAuthenticator {
     }
 
     protected void checkKerberosServerAvailable(LoginException le) {
-        String message = le.getMessage().toUpperCase();
-        if (message.contains("PORT UNREACHABLE") ||
-            message.contains("CANNOT LOCATE") ||
-            message.contains("CANNOT CONTACT") ||
-            message.contains("CANNOT FIND") ||
-            message.contains("UNKNOWN ERROR") ||
-            message.contains("RECEIVE TIMED OUT")) {
+        if (le.getMessage() != null) {
+            String message = le.getMessage().toUpperCase();
+            if (message.contains("PORT UNREACHABLE") ||
+                message.contains("CANNOT LOCATE") ||
+                message.contains("CANNOT CONTACT") ||
+                message.contains("CANNOT FIND") ||
+                message.contains("UNKNOWN ERROR") ||
+                message.contains("RECEIVE TIMED OUT")) {
+                throw new ModelException("Kerberos unreachable", le);
+            }
+        } else if (le.getCause() instanceof IOException) {
+            // for example, a PortUnreachable exception if the server is not running
             throw new ModelException("Kerberos unreachable", le);
         }
     }
 
     protected void checkKerberosUsername(LoginException le) {
-        String message = le.getMessage();
-        if (message.contains("IllegalArgumentException")) {
-            throw new ModelException("Kerberos illegal username", le);
+        if (le.getMessage() != null) {
+            String message = le.getMessage();
+            if (message.contains("IllegalArgumentException")) {
+                throw new ModelException("Kerberos illegal username", le);
+            }
         }
     }