cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sagara Gunathunga (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CXF-6492) AbstractHTTPDestination class incorrectly assume only one empty space after "Basic" in Authorization header value.
Date Thu, 09 Jul 2015 10:20:08 GMT
Sagara Gunathunga  created CXF-6492:
---------------------------------------

             Summary: AbstractHTTPDestination class incorrectly assume only one empty space
after "Basic" in Authorization header value. 
                 Key: CXF-6492
                 URL: https://issues.apache.org/jira/browse/CXF-6492
             Project: CXF
          Issue Type: Bug
          Components: JAX-RS
    Affects Versions: 3.1.1, 2.7.16
            Reporter: Sagara Gunathunga 


getAuthorizationPolicyFromMessage() method in AbstractHTTPDestination class  incorrectly assume
only one empty space after "Basic" in Authorization header value but one can send multiple
empty spaces after "Basic" string or can skip the content after "Basic" string in both cases
CXF returns Java exceptions along with stack trace to the client side. 

case -1  : curl http://localhost:8080/hello/echo/hello -H "Authorization:Basic  YWRtaW46YWRtaW4="
  ( 2 whitespace characters after "Basic" )

java.lang.NullPointerException
	at java.lang.String.&lt;init&gt;(String.java:556)
	at org.apache.cxf.transport.http.AbstractHTTPDestination.getAuthorizationPolicyFromMessage(AbstractHTTPDestination.java:167)
	at org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:385)
	at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:236)
	at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
	at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:217)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)

case - 2 : curl http://localhost:8080/hello/echo/hello -H "Authorization:Basic" ( No content
after "Basic") 
 
Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.ArrayIndexOutOfBoundsException:
1
	at org.apache.cxf.transport.http.AbstractHTTPDestination.getAuthorizationPolicyFromMessage(AbstractHTTPDestination.java:165)
	at org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:385)
	at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:236)
	at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
	at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:217)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message