safe fallbacks when deserializing old SavedRequest

Author: jungm

tomee/tomee-security/src/main/java/org/apache/tomee/security/http/SavedRequest.java

@@ -133,23 +133,23 @@ public String getQueryString() {
 
             @Override
             public Enumeration<String> getParameterNames() {
-                return Collections.enumeration(parameterMap.keySet());
+                return Collections.enumeration(getParameterMap().keySet());
             }
 
             @Override
             public String[] getParameterValues(String name) {
-                return parameterMap.get(name);
+                return getParameterMap().get(name);
             }
 
             @Override
             public String getParameter(String name) {
-                String[] values = parameterMap.get(name);
+                String[] values = getParameterValues(name);
                 return values == null || values.length == 0 ? null : values[0];
             }
 
             @Override
             public Map<String, String[]> getParameterMap() {
-                return parameterMap;
+                return parameterMap != null ? parameterMap : Collections.emptyMap();
             }
         };
     }

tomee/tomee-security/src/test/java/org/apache/tomee/security/http/SavedRequestTest.java

@@ -79,6 +79,29 @@ public void deserialization() throws Exception {
         assertEquals("bar", request.getParameterMap().get("foo")[0]);
     }
 
+    @Test
+    public void deserializationWithoutParameterMap() throws Exception {
+        // JSON produced by older versions that did not include the parameterMap field
+        String json = "{\"cookies\":[{\"name\":\"first\",\"value\":\"val1\",\"attributes\":{}},{\"name\":\"second\",\"value\":\"val2\",\"attributes\":{}}],\"headers\":{\"header1\":[\"h1val1\",\"h1val2\"],\"header2\":[\"h2val1\"]},\"method\":\"PATCH\",\"queryString\":\"foo=bar\",\"url\":\"http://example.com/foo\"}";
+        SavedRequest request = SavedRequest.fromJson(json);
+
+        assertNotNull(request);
+        assertEquals(2, request.getCookies().length);
+        assertEquals("first", request.getCookies()[0].getName());
+        assertEquals("val1", request.getCookies()[0].getValue());
+        assertEquals("second", request.getCookies()[1].getName());
+        assertEquals("val2", request.getCookies()[1].getValue());
+        assertEquals(2, request.getHeaders().size());
+        assertEquals(List.of("h1val1", "h1val2"), request.getHeaders().get("header1"));
+        assertEquals(List.of("h2val1"), request.getHeaders().get("header2"));
+        assertEquals("PATCH", request.getMethod());
+        assertEquals("foo=bar", request.getQueryString());
+        assertEquals("http://example.com/foo", request.getUrl());
+        // parameterMap should be initialized to a safe default (e.g., empty map) rather than null
+        assertNotNull(request.getParameterMap());
+        assertTrue(request.getParameterMap().isEmpty());
+    }
+
     @Test
     public void cookieSerialization() throws Exception {
         JsonbConfig config = new JsonbConfig()