Accessing authenticationendpoint/login.do without any URL parameters isn't gracefully handled in the front and back end

[vfraga]

Description

Accessing https://{IS_HOST}:{IS_PORT)/authenticationendpoint/login.do triggers the checkSessionKey JS function defined in the login.jsp page of the authenticationendpoint webapp:

    <body onload="checkSessionKey()">
    . . . 
    <script>
        function checkSessionKey() {
            var proxyPath = "<%=Encode.forJavaScriptAttribute(contextPath)%>"

            $.ajax({
                type: "GET",
                url: proxyPath + "/logincontext?sessionDataKey=" + getParameterByName("sessionDataKey") +
                    "&relyingParty=" + getParameterByName("relyingParty") + "&tenantDomain="
                    + getParameterByName("tenantDomain") + "&authenticators=" + getParameterByName("authenticators"), success: function (data) {
                    if (data && data.status == 'redirect' && data.redirectUrl && data.redirectUrl.length > 0) {
                        window.location.href = data.redirectUrl;
                    }
                },
                cache: false
            });
        }
    . . .

When these URL parameters (i.e., sessionDataKey, relyingParty, tenantDomain, authenticators) are null, the string concatenation operation adds a null string, making the API call look like: logincontext?sessionDataKey=null&relyingParty=null&tenantDomain=null&authenticators=null, allowing the request to byapss the the validations in LoginContextManagementUtil::handleLoginContext, and causing the following server error:

. . . ERROR {org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/].[bridgeservlet]} - Servlet.service() for servlet [bridgeservlet] in context with path [/] threw exception java.util.EmptyStackException
	at java.base/java.util.Stack.peek(Stack.java:102)
	at java.base/java.util.Stack.pop(Stack.java:84)
	at org.wso2.carbon.context.internal.CarbonContextDataHolder.endTenantFlow(CarbonContextDataHolder.java:1298)
	at org.wso2.carbon.context.PrivilegedCarbonContext.endTenantFlow(PrivilegedCarbonContext.java:75)
	at org.wso2.carbon.identity.application.mgt.ApplicationMgtUtil.endTenantFlow(ApplicationMgtUtil.java:806)
	at org.wso2.carbon.identity.application.mgt.ApplicationManagementServiceImpl.getServiceProvider(ApplicationManagementServiceImpl.java:1161)
	at org.wso2.carbon.identity.application.authentication.framework.util.LoginContextManagementUtil.getAccessURLFromApplication(LoginContextManagementUtil.java:186)
	at org.wso2.carbon.identity.application.authentication.framework.util.LoginContextManagementUtil.getRedirectURL(LoginContextManagementUtil.java:156)
	at org.wso2.carbon.identity.application.authentication.framework.util.LoginContextManagementUtil.handleLoginContext(LoginContextManagementUtil.java:107)
	at org.wso2.carbon.identity.application.authentication.framework.servlet.LoginContextServlet.doGet(LoginContextServlet.java:40)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:529)
	. . .

Optimally, the getParameterByName JS function should return an empty string when a URL parameter doesn't exist to allow server-side validations to happen correctly, and the server should handle these edge cases gracefully instead of returning a server error.

It's worth noting there's a similar pattern in the basicauth.jsp page in the authenticationendpoint webapp.

Steps to Reproduce

1. Access the https://{IS_HOME}:{IS_PORT}/authenticationendpoint/login.do page (e.g, https://localhost:9443/authenticationendpoint/login.do).
2. Observe the error and stacktrace in the carbon logs.

Version

IS 5.10, 5.11.0, 6.0.0, 6.1.0

Environment Details (with versions)

N/A