jBCrypt String index out of range: 0 error on starting app in Netbeans

Question

I'm receiving the following error in the Apache logs when starting my application

I've found BCrypt.checkpw() Invalid salt version exception But this is not a match as the passwords stored in the DB for my users are hashed and this error appears on start up and I've no issues logging in 99.99% of the time.

29-Oct-2017 22:12:32.242 SEVERE [http-nio-8084-exec-1] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for     servlet [UserController] in context with path [/medsched] threw exception
 java.lang.StringIndexOutOfBoundsException: String index out of range: 0
at java.lang.String.charAt(String.java:658)
at org.mindrot.jbcrypt.BCrypt.hashpw(BCrypt.java:658)
at org.mindrot.jbcrypt.BCrypt.checkpw(BCrypt.java:764)
at medsched.data.UserDB.loginUser(UserDB.java:216)
at medsched.controllers.UserController.logInToSite(UserController.java:165)
at medsched.controllers.UserController.doPost(UserController.java:41)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.netbeans.modules.web.monitor.server.MonitorFilter.doFilter(MonitorFilter.java:393)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.filters.CsrfPreventionFilter.doFilter(CsrfPreventionFilter.java:213)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at medsched.filters.SecPageFilter.doFilter(SecPageFilter.java:61)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:217)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:673)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)

It does not seem to affect the application as nearly most of the time as I can log in or if I present a password mismatch I am returned to a login error jsp defined in my application. I do some times, however receive a 500 error page with

java.lang.StringIndexOutOfBoundsException: String index out of range: 0
at java.lang.String.charAt(String.java:658)
at org.mindrot.jbcrypt.BCrypt.hashpw(BCrypt.java:658)
at org.mindrot.jbcrypt.BCrypt.checkpw(BCrypt.java:764)
at medsched.data.UserDB.loginUser(UserDB.java:216)
at   medsched.controllers.UserController.logInToSite(UserController.java:165)
at medsched.controllers.UserController.doPost(UserController.java:41)

Could it be the way I'm using BCrypt.checkpw ?? I'd understand the error appearing if I was attempting to log in, but not on starting the application in Netbeans.

public static User loginUser(String phnum,String passw) {
    ConnectionPool pool = ConnectionPool.getInstance();
    Connection connection = pool.getConnection();
    PreparedStatement ps = null;
    ResultSet rs = null;
    String hpwd="";

    //Get the key 
    String key=confUtil.encDeckey();

     String query = "SELECT userid,fName,pwd FROM users "
           + "WHERE  phone = AES_ENCRYPT(?,?) AND active=1";
    try {
        ps = connection.prepareStatement(query);
        ps.setString(1, phnum);
        ps.setString(2, key);
        rs = ps.executeQuery();
        User user = null;
        if (rs.next()) {
            user = new User();
            user.setUserID(rs.getLong("userid"));
            user.setFName(rs.getString("fName"));
            user.setPwd(rs.getString("pwd"));
           hpwd=user.getPwd();
        }
        if(hpwd!=null || !hpwd.isEmpty()){
            if(!BCrypt.checkpw(passw,hpwd)){
            user=null;
            }
        }

    } catch (SQLException e) {
        //System.err.println(e);
        log.error("Exception when trying to log in",e);

        return null;
    } finally {
        DBUtil.closeResultSet(rs);
        DBUtil.closePreparedStatement(ps);
        pool.freeConnection(connection);
    }
}

Issue occurred again today, posting the 500 error that I'm getting

HTTP Status 500 - String index out of range: 0 type Exception report

message String index out of range: 0

description The server encountered an internal error that prevented it from fulfilling this request.

exception
java.lang.StringIndexOutOfBoundsException: String index out of range: 0
java.lang.String.charAt(String.java:658)
org.mindrot.jbcrypt.BCrypt.hashpw(BCrypt.java:658)
org.mindrot.jbcrypt.BCrypt.checkpw(BCrypt.java:764)
medsched.data.UserDB.loginUser(UserDB.java:190)
medsched.controllers.UserController.logInToSite(UserController.java:169)
medsched.controllers.UserController.doPost(UserController.java:41)
javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
  org.netbeans.modules.web.monitor.server.MonitorFilter.doFilter(MonitorFilter.java:393)
 org.apache.catalina.filters.CsrfPreventionFilter.doFilter(CsrfPreventionFilter.java:213)
 medsched.filters.SecPageFilter.doFilter(SecPageFilter.java:61)
        org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)

 note The full stack trace of the root cause is available in the Apache Tomcat/8.0.27 logs.

Answer 1

I just ran into a similar issue:

Bcrypt throws java.lang.StringIndexOutOfBoundsException: String index out of range: 0.

In my case I found out that the hashed password was empty.

I can't tell why this error is appearing at app start without seeing more code.