Throwing NullPointerException when approving the API state change request [APIM 4.2.0]

Description

Under a tenant domain except for the carbon.super, when approving the API state change request to move the API state from CREATED to PUBLISHED, the request is getting accepted and throwing a NullPointerException, but the API is still in the CREATED state.

Steps to Reproduce

Start the APIM pack and IS pack (IS pack to take the LDAP)
Go to the carbon management console of the API Manager and create a tenant domain (abc.com)
Log into the tenant domain and configure the LDAP secondary user store (Domain: SECONDARY)

Then create 2 new users under the secondary userstore with the below user roles.

creatorUser: Internal/creator
creatorPublisherUser: Internal/creator, Internal/publisher

Under the tenant domain, enable the API state change approval workflow.

<APIStateChange executor="org.wso2.carbon.apimgt.impl.workflow.APIStateChangeApprovalWorkflowExecutor">
<Property name="stateList">Created:Publish,Published:Block</Property>
</APIStateChange>

Log into the publisher portal by using the creatorUser's credentials and create an API (API Name: API_1, API Version: 1.0.0)
Under the Portal Configurations -> Basic Info section, add the Internal/creator role under the Publisher Access Control role list as below.

Log out from the publisher portal.
After that, log into the publisher portal by using the creatorPublisherUser's credentials and send the API publishing request.
Log into the admin portal by using the tenant admin's credentials.

Try to approve the API state change request and able to see the below error stack trace under the wso2carbon.log level. But at the UI level, there is no error message.

TID: [-1234] [api/am/admin] [2024-10-28 17:49:22,197] ERROR {org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager} - Error occurred while accessing Java Security Manager Privilege Block
TID: [-1234] [api/am/admin] [2024-10-28 17:49:22,200] ERROR {org.wso2.carbon.apimgt.impl.workflow.WorkflowUtils} - Could not complete api state change workflow org.wso2.carbon.apimgt.api.APIManagementException: Error while checking the user:SECONDARY/creatorUser-AT-abc.com authorized or not
at org.wso2.carbon.apimgt.impl.utils.APIUtil.hasPermission_aroundBody142(APIUtil.java:2399)
at org.wso2.carbon.apimgt.impl.utils.APIUtil.hasPermission(APIUtil.java:1)
at org.wso2.carbon.apimgt.impl.APIProviderImpl.checkAccessControlPermission_aroundBody440(APIProviderImpl.java:5712)
at org.wso2.carbon.apimgt.impl.APIProviderImpl.checkAccessControlPermission(APIProviderImpl.java:1)
at org.wso2.carbon.apimgt.impl.APIProviderImpl.getAPIbyUUID_aroundBody398(APIProviderImpl.java:5225)
at org.wso2.carbon.apimgt.impl.APIProviderImpl.getAPIbyUUID(APIProviderImpl.java:1)
at org.wso2.carbon.apimgt.impl.UserAwareAPIProvider.getAPIbyUUID(UserAwareAPIProvider.java:1)
at org.wso2.carbon.apimgt.impl.APIProviderImpl.getAPIorAPIProductByUUID_aroundBody536(APIProviderImpl.java:6920)
at org.wso2.carbon.apimgt.impl.APIProviderImpl.getAPIorAPIProductByUUID(APIProviderImpl.java:1)
at org.wso2.carbon.apimgt.impl.UserAwareAPIProvider.getAPIorAPIProductByUUID(UserAwareAPIProvider.java:1)
at org.wso2.carbon.apimgt.impl.workflow.WorkflowUtils.completeStateChangeWorkflow_aroundBody8(WorkflowUtils.java:288)
at org.wso2.carbon.apimgt.impl.workflow.WorkflowUtils.completeStateChangeWorkflow(WorkflowUtils.java:1)
at org.wso2.carbon.apimgt.impl.workflow.APIStateChangeApprovalWorkflowExecutor.complete_aroundBody10(APIStateChangeApprovalWorkflowExecutor.java:106)
at org.wso2.carbon.apimgt.impl.workflow.APIStateChangeApprovalWorkflowExecutor.complete(APIStateChangeApprovalWorkflowExecutor.java:1)
at org.wso2.carbon.apimgt.rest.api.admin.v1.impl.WorkflowsApiServiceImpl.workflowsUpdateWorkflowStatusPost(WorkflowsApiServiceImpl.java:196)
at org.wso2.carbon.apimgt.rest.api.admin.v1.WorkflowsApi.workflowsUpdateWorkflowStatusPost(WorkflowsApi.java:94)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:179)
at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:201)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:104)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:265)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:225)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:304)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:217)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:555)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:279)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:209)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:119)
at org.wso2.carbon.identity.context.rewrite.valve.OrganizationContextRewriteValve.invoke(OrganizationContextRewriteValve.java:116)
at org.wso2.carbon.tomcat.ext.valves.SameSiteCookieValve.invoke(SameSiteCookieValve.java:38)
at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:165)
at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:118)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:106)
at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:49)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:67)
at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:152)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:670)
at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:63)
at org.wso2.carbon.tomcat.ext.valves.RequestCorrelationIdValve.invoke(RequestCorrelationIdValve.java:137)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:928)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1794)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: org.wso2.carbon.user.core.UserStoreException: Error occurred while accessing Java Security Manager Privilege Block
at org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager.callSecure(JDBCAuthorizationManager.java:1534)
at org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager.isUserAuthorized(JDBCAuthorizationManager.java:226)
at org.wso2.carbon.apimgt.impl.utils.APIUtil.hasPermission_aroundBody142(APIUtil.java:2391)
... 69 more
Caused by: java.security.PrivilegedActionException: java.lang.reflect.InvocationTargetException
at java.base/java.security.AccessController.doPrivileged(Native Method)
at org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager.callSecure(JDBCAuthorizationManager.java:1519)
... 71 more
Caused by: java.lang.reflect.InvocationTargetException
at jdk.internal.reflect.GeneratedMethodAccessor69.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager$2.run(JDBCAuthorizationManager.java:1522)
... 73 more
Caused by: java.lang.NullPointerException
at org.wso2.carbon.user.core.authorization.AuthorizationCache.isCaseSensitiveUsername(AuthorizationCache.java:329)
at org.wso2.carbon.user.core.authorization.AuthorizationCache.isUserAuthorized(AuthorizationCache.java:150)
at org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager.isUserAuthorized(JDBCAuthorizationManager.java:257)
... 77 more

After this, check the API state via the publisher portal and still the API is in the CREATED state.

Affected Component

APIM

Version

4.2.0

Environment Details (with versions)

No response

Relevant Log Output

No response

Related Issues

No response

Suggested Labels

No response

wso2 / api-manager