apache · sureshanaparti · Feb 4, 2026
diff --git a/...src/main/java/org/apache/cloudstack/oauth2/api/command/OauthLoginAPIAuthenticatorCmd.java b/...src/main/java/org/apache/cloudstack/oauth2/api/command/OauthLoginAPIAuthenticatorCmd.java
@@ -177,12 +177,8 @@ private String doOauthAuthentication(HttpSession session, Long domainId, String
 
     protected Long getDomainIdFromParams(Map<String, Object[]> params, StringBuilder auditTrailSb, String responseType) {
         String[] domainIdArr = (String[])params.get(ApiConstants.DOMAIN_ID);
-
-        if (domainIdArr == null) {
-            domainIdArr = (String[])params.get(ApiConstants.DOMAIN__ID);
-        }
         Long domainId = null;
-        if ((domainIdArr != null) && (domainIdArr.length > 0)) {
+        if (domainIdArr != null && domainIdArr.length > 0) {
             try {
                 //check if UUID is passed in for domain
                 domainId = _apiServer.fetchDomainId(domainIdArr[0]);

diff --git a/.../saml2/src/main/java/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java b/.../saml2/src/main/java/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java
@@ -158,11 +158,17 @@ public String authenticate(final String command, final Map<String, Object[]> par
                 String domainPath = null;
 
                 if (params.containsKey(ApiConstants.IDP_ID)) {
-                    idpId = ((String[])params.get(ApiConstants.IDP_ID))[0];
+                    String[] idpIds = (String[])params.get(ApiConstants.IDP_ID);
+                    if (idpIds != null && idpIds.length > 0) {
+                        idpId = idpIds[0];
+                    }
                 }
 
                 if (params.containsKey(ApiConstants.DOMAIN)) {
-                    domainPath = ((String[])params.get(ApiConstants.DOMAIN))[0];
+                    String[] domainPaths = (String[])params.get(ApiConstants.DOMAIN);
+                    if (domainPaths != null && domainPaths.length > 0) {
+                        domainPath = domainPaths[0];
+                    }
                 }
 
                 if (domainPath != null && !domainPath.isEmpty()) {

diff --git a/server/src/main/java/com/cloud/api/ApiServlet.java b/server/src/main/java/com/cloud/api/ApiServlet.java
@@ -164,7 +164,6 @@ private void checkSingleQueryParameterValue(Map<String, String[]> params) {
                 LOGGER.warn(message);
             }
         });
-
     }
 
     void processRequestInContext(final HttpServletRequest req, final HttpServletResponse resp) {
@@ -550,6 +549,9 @@ public static void invalidateHttpSession(HttpSession session, String msg) {
             if (LOGGER.isTraceEnabled()) {
                 LOGGER.trace(msg);
             }
+            if (session == null) {
+                return;
+            }
             session.invalidate();
         } catch (final IllegalStateException ise) {
             if (LOGGER.isTraceEnabled()) {

diff --git a/server/src/main/java/com/cloud/api/auth/DefaultLoginAPIAuthenticatorCmd.java b/server/src/main/java/com/cloud/api/auth/DefaultLoginAPIAuthenticatorCmd.java
@@ -47,7 +47,6 @@
 @APICommand(name = "login", description = "Logs a user into the CloudStack. A successful login attempt will generate a JSESSIONID cookie value that can be passed in subsequent Query command calls until the \"logout\" command has been issued or the session has expired.", requestHasSensitiveInfo = true, responseObject = LoginCmdResponse.class, entityType = {})
 public class DefaultLoginAPIAuthenticatorCmd extends BaseCmd implements APIAuthenticator {
 
-
     /////////////////////////////////////////////////////
     //////////////// API parameters /////////////////////
     /////////////////////////////////////////////////////
@@ -107,17 +106,13 @@ public String authenticate(String command, Map<String, Object[]> params, HttpSes
         if (HTTPMethod.valueOf(req.getMethod()) != HTTPMethod.POST) {
             throw new ServerApiException(ApiErrorCode.METHOD_NOT_ALLOWED, "Please use HTTP POST to authenticate using this API");
         }
+
         // FIXME: ported from ApiServlet, refactor and cleanup
         final String[] username = (String[])params.get(ApiConstants.USERNAME);
         final String[] password = (String[])params.get(ApiConstants.PASSWORD);
-        String[] domainIdArr = (String[])params.get(ApiConstants.DOMAIN_ID);
-
-        if (domainIdArr == null) {
-            domainIdArr = (String[])params.get(ApiConstants.DOMAIN__ID);
-        }
-        final String[] domainName = (String[])params.get(ApiConstants.DOMAIN);
+        final String[] domainIdArr = (String[])params.get(ApiConstants.DOMAIN_ID);
         Long domainId = null;
-        if ((domainIdArr != null) && (domainIdArr.length > 0)) {
+        if (domainIdArr != null && domainIdArr.length > 0) {
             try {
                 //check if UUID is passed in for domain
                 domainId = _apiServer.fetchDomainId(domainIdArr[0]);
@@ -135,6 +130,7 @@ public String authenticate(String command, Map<String, Object[]> params, HttpSes
         }
 
         String domain = null;
+        final String[] domainName = (String[])params.get(ApiConstants.DOMAIN);
         domain = getDomainName(auditTrailSb, domainName, domain);
 
         String serializedResponse = null;

diff --git a/server/src/main/java/com/cloud/api/auth/DefaultResetPasswordAPIAuthenticatorCmd.java b/server/src/main/java/com/cloud/api/auth/DefaultResetPasswordAPIAuthenticatorCmd.java
@@ -53,7 +53,6 @@
         responseObject = SuccessResponse.class)
 public class DefaultResetPasswordAPIAuthenticatorCmd extends BaseCmd implements APIAuthenticator {
 
-
     /////////////////////////////////////////////////////
     //////////////// API parameters /////////////////////
     /////////////////////////////////////////////////////