RH-SSO handles empty POST data incorrectly while invoking admin REST interfaces

Solution Verified - Updated -


  • When making POST requests to /users and /groups REST interfaces with empty data RH-SSO returns HTTP/1.1 500 Internal server error.

  • RH-SSO currently produces an uncaught java.lang.NullPointerException with empty POST data while invoking admin REST interfaces which is not just an extremely bad programming style but a sign for unwanted after effects.

  • RH-SSO is vulnerable against bad requests with none/empty post data.


  • Red Hat Single Sign-On (RH-SSO)
    • 7.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In