Unexpected exception during security processing

[barchetta]

Environment Details

• Helidon Version: 4.0.5
• Helidon MP

---

Problem Description

Customer reports:
"upgraded our helidon oidc application from v2.6.3 to v4.0.5. While redirection from keyclock to our application I am seeing this issue:"

Mar 12, 2024 1:22:30 PM io.helidon.webserver.ServerListener start
INFO: [0x42ee4cb1] http://0.0.0.0:8080/ bound for socket '@default'
Mar 12, 2024 1:22:30 PM io.helidon.webserver.LoomServer startIt
INFO: Started all channels in 18 milliseconds. 4540 milliseconds since JVM startup. Java 21.0.2+13-LTS-58
Mar 12, 2024 1:22:30 PM io.helidon.microprofile.server.ServerCdiExtension startServer
INFO: Server started on http://localhost:8080/ (and all other host addresses) in 4554 milliseconds (since JVM startup).
Mar 12, 2024 1:22:31 PM io.helidon.common.features.HelidonFeatures features
INFO: Helidon MP 4.0.5 features: [CDI, Config, Fault Tolerance, Health, Metrics, Open API, REST Client, Security, Server]
Mar 12, 2024 1:22:33 PM io.helidon.webserver.security.SecurityHandler processSecurity
SEVERE: Unexpected exception during security processing
java.util.NoSuchElementException
        at java.base/java.util.ImmutableCollections$ListItr.next(ImmutableCollections.java:382)
        at io.helidon.http.HeaderValueList.<init>(HeaderValueList.java:27)
        at io.helidon.http.HeaderValues.create(HeaderValues.java:325)
        at io.helidon.http.HeaderValues.create(HeaderValues.java:337)
        at io.helidon.webserver.security.SecurityHandler.lambda$processAuthentication$8(SecurityHandler.java:578)
        at java.base/java.util.HashMap.forEach(HashMap.java:1429)
        at io.helidon.webserver.security.SecurityHandler.processAuthentication(SecurityHandler.java:578)
        at io.helidon.webserver.security.SecurityHandler.processSecurity(SecurityHandler.java:480)
        at io.helidon.webserver.security.SecurityHandler.handle(SecurityHandler.java:255)
        at io.helidon.webserver.http.HttpRouting$RoutingExecutor.doRoute(HttpRouting.java:668)
        at io.helidon.webserver.http.HttpRouting$RoutingExecutor.call(HttpRouting.java:627)
        at io.helidon.webserver.http.HttpRouting$RoutingExecutor.call(HttpRouting.java:605)
        at io.helidon.webserver.http.ErrorHandlers.runWithErrorHandling(ErrorHandlers.java:75)
        at io.helidon.webserver.http.Filters$FilterChainImpl.proceed(Filters.java:121)
        at io.helidon.webserver.observe.metrics.MetricsFeature.lambda$configureVendorMetrics$2(MetricsFeature.java:90)
        at io.helidon.webserver.http.Filters$FilterChainImpl.proceed(Filters.java:119)
        at io.helidon.webserver.security.SecurityContextFilter.filter(SecurityContextFilter.java:88)
        at io.helidon.webserver.http.Filters$FilterChainImpl.proceed(Filters.java:119)
        at io.helidon.common.context.Contexts.runInContext(Contexts.java:117)
        at io.helidon.webserver.context.ContextRoutingFeature.filter(ContextRoutingFeature.java:50)
        at io.helidon.webserver.http.Filters$FilterChainImpl.proceed(Filters.java:119)
        at io.helidon.webserver.http.Filters.executeFilters(Filters.java:87)
        at io.helidon.webserver.http.Filters.lambda$filter$0(Filters.java:83)
        at io.helidon.webserver.http.ErrorHandlers.runWithErrorHandling(ErrorHandlers.java:75)
        at io.helidon.webserver.http.Filters.filter(Filters.java:83)
        at io.helidon.webserver.http.HttpRouting.route(HttpRouting.java:109)
        at io.helidon.webserver.http1.Http1Connection.route(Http1Connection.java:357)
        at io.helidon.webserver.http1.Http1Connection.handle(Http1Connection.java:194)
        at io.helidon.webserver.ConnectionHandler.run(ConnectionHandler.java:165)
        at io.helidon.common.task.InterruptableTask.call(InterruptableTask.java:47)
        at io.helidon.webserver.ThreadPerTaskExecutor$ThreadBoundFuture.run(ThreadPerTaskExecutor.java:239)
        at java.base/java.lang.VirtualThread.run(VirtualThread.java:309)

[barchetta]

This could be cause by HeaderValueList not handling an empty collection of values:

helidon/http/http/src/main/java/io/helidon/http/HeaderValueList.java

Line 26 in 272f175

HeaderValueList(HeaderName name, boolean changing, boolean sensitive, Collection<String> values) {

[tomas-langer]

Header must have a value (an empty string at least).
I will update the implementation to validate inputs, and fail if an empty list is provided.
I have discovered one type where this may have originated and fixed the update of response headers (by checking if the list of cookies to be set is empty).
The new code would throw an exception with header name if wrong, so we should be able to better understand where the offending value comes from.

[tomas-langer]

This issue should be resolved by #8489
Please open a new issue with full stack trace if the problem manifests after this change is included in a release.
Thank you