cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (CXF-6492) AbstractHTTPDestination class incorrectly assume only one empty space after "Basic" in Authorization header value.
Date Thu, 09 Jul 2015 10:46:04 GMT

    [ https://issues.apache.org/jira/browse/CXF-6492?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14620305#comment-14620305
] 

Sergey Beryozkin edited comment on CXF-6492 at 7/9/15 10:45 AM:
----------------------------------------------------------------

Can you please tell which client does put 2 spaces in 
{noformat}
"Basic  credentials" ? 
{noformat}
For example, I'm not sure the following is valid:
{noformat}
"Basic                                              credentials"
{noformat}
where it is 40 spaces, so why 2 spaces should be supported ?



was (Author: sergey_beryozkin):
Can you please tell which client does put 2 spaces in "Basic  credentials" ? 

For example, I'm not sure the following is valid:
"Basic                                              credentials"
where it is 40 spaces, so why 2 spaces should be supported ?


> AbstractHTTPDestination class incorrectly assume only one empty space after "Basic" in
Authorization header value. 
> -------------------------------------------------------------------------------------------------------------------
>
>                 Key: CXF-6492
>                 URL: https://issues.apache.org/jira/browse/CXF-6492
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS
>    Affects Versions: 2.7.16, 3.1.1
>            Reporter: Sagara Gunathunga 
>
> getAuthorizationPolicyFromMessage() method in AbstractHTTPDestination class  incorrectly
assume only one empty space after "Basic" in Authorization header value but one can send multiple
empty spaces after "Basic" string or can skip the content after "Basic" string in both cases
CXF returns Java exceptions along with stack trace to the client side. 
> case -1  : curl http://localhost:8080/hello/echo/hello -H "Authorization:Basic  YWRtaW46YWRtaW4="
  ( 2 whitespace characters after "Basic" )
> java.lang.NullPointerException
> 	at java.lang.String.&lt;init&gt;(String.java:556)
> 	at org.apache.cxf.transport.http.AbstractHTTPDestination.getAuthorizationPolicyFromMessage(AbstractHTTPDestination.java:167)
> 	at org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:385)
> 	at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:236)
> 	at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
> 	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
> 	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
> 	at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
> 	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
> 	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:217)
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)
> case - 2 : curl http://localhost:8080/hello/echo/hello -H "Authorization:Basic" ( No
content after "Basic") 
>  
> Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.ArrayIndexOutOfBoundsException:
1
> 	at org.apache.cxf.transport.http.AbstractHTTPDestination.getAuthorizationPolicyFromMessage(AbstractHTTPDestination.java:165)
> 	at org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:385)
> 	at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:236)
> 	at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
> 	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
> 	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
> 	at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
> 	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
> 	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:217)
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message