Return-Path:
X-Original-To: apmail-cxf-issues-archive@www.apache.org
Delivered-To: apmail-cxf-issues-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
by minotaur.apache.org (Postfix) with SMTP id E8A3E18107
for ;
Thu, 9 Jul 2015 16:04:05 +0000 (UTC)
Received: (qmail 84923 invoked by uid 500); 9 Jul 2015 16:04:05 -0000
Delivered-To: apmail-cxf-issues-archive@cxf.apache.org
Received: (qmail 84873 invoked by uid 500); 9 Jul 2015 16:04:05 -0000
Mailing-List: contact issues-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help:
List-Unsubscribe:
List-Post:
List-Id:
Reply-To: dev@cxf.apache.org
Delivered-To: mailing list issues@cxf.apache.org
Received: (qmail 84677 invoked by uid 99); 9 Jul 2015 16:04:05 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 09 Jul 2015 16:04:05 +0000
Date: Thu, 9 Jul 2015 16:04:05 +0000 (UTC)
From: "Daniel Kulp (JIRA)"
To: issues@cxf.apache.org
Message-ID:
In-Reply-To:
References:
Subject: [jira] [Commented] (CXF-6492) AbstractHTTPDestination class
incorrectly assume only one empty space after "Basic" in Authorization
header value.
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
[ https://issues.apache.org/jira/browse/CXF-6492?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14620745#comment-14620745 ]
Daniel Kulp commented on CXF-6492:
----------------------------------
Looking at the spec at https://tools.ietf.org/html/rfc7235#section-2.1 , the "credentials" type is defined as:
{code}
credentials = auth-scheme [ 1*SP ( token68 / #auth-param ) ]
{code}
which means it needs at least one, but up to infinite, spaces. Thus, this is valid.
> AbstractHTTPDestination class incorrectly assume only one empty space after "Basic" in Authorization header value.
> -------------------------------------------------------------------------------------------------------------------
>
> Key: CXF-6492
> URL: https://issues.apache.org/jira/browse/CXF-6492
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS
> Affects Versions: 2.7.16, 3.1.1
> Reporter: Sagara Gunathunga
>
> getAuthorizationPolicyFromMessage() method in AbstractHTTPDestination class incorrectly assume only one empty space after "Basic" in Authorization header value but one can send multiple empty spaces after "Basic" string or can skip the content after "Basic" string in both cases CXF returns Java exceptions along with stack trace to the client side.
> case -1 : curl http://localhost:8080/hello/echo/hello -H "Authorization:Basic YWRtaW46YWRtaW4=" ( 2 whitespace characters after "Basic" )
> java.lang.NullPointerException
> at java.lang.String.<init>(String.java:556)
> at org.apache.cxf.transport.http.AbstractHTTPDestination.getAuthorizationPolicyFromMessage(AbstractHTTPDestination.java:167)
> at org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:385)
> at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:236)
> at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
> at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
> at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
> at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
> at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
> at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:217)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)
> case - 2 : curl http://localhost:8080/hello/echo/hello -H "Authorization:Basic" ( No content after "Basic")
>
> Server Error
Caused by:
java.lang.ArrayIndexOutOfBoundsException: 1
> at org.apache.cxf.transport.http.AbstractHTTPDestination.getAuthorizationPolicyFromMessage(AbstractHTTPDestination.java:165)
> at org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:385)
> at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:236)
> at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
> at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
> at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
> at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
> at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
> at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:217)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)