cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Wolf (JIRA)" <j...@apache.org>
Subject [jira] Created: (CXF-1495) AbstractHTTPDestination not propperly handling zero-length passwords in Basic Authorization header
Date Mon, 31 Mar 2008 19:58:25 GMT
AbstractHTTPDestination not propperly handling zero-length passwords in Basic Authorization
header
--------------------------------------------------------------------------------------------------

                 Key: CXF-1495
                 URL: https://issues.apache.org/jira/browse/CXF-1495
             Project: CXF
          Issue Type: Bug
          Components: Transports
         Environment: Snapshot 30 Jan, 2008
            Reporter: Chris Wolf
            Priority: Minor



When deployin the CXF servlet to a Siteminder-protected web app, Siteminder will modify the
Basic Authorization
header and blank out the password since subsequent requests are already authenticated via
the encrypted
Siteminder cookie.    Zero-lenght passwords in the Basic Authorization headers are permitted
per RFC-2617:
http://www.rfc.net/rfc2617.html#p5

The symptom is the following stace trace:

ava.lang.ArrayIndexOutOfBoundsException: 1
org.apache.cxf.transport.http.AbstractHTTPDestination.setHeaders(AbstractHTTPDestination.java:137)
org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:286)
org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:82)
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:213)
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:150)
org.apache.cxf.transport.servlet.AbstractCXFServlet.invoke(AbstractCXFServlet.java:170)
org.apache.cxf.transport.servlet.AbstractCXFServlet.doPost(AbstractCXFServlet.java:148)
javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
javax.servlet.http.HttpServlet.service(HttpServlet.java:802)

The fix is to change one line in:
org.apache.cxf.transport.http.AbstractHTTPDestination, line 137 (snapshot
2008-01-30)

Change the line from:
String password = authInfo[1];

...to:

String password = (authInfo.length>1?authInfo[1]:"");





-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message