cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-6492) AbstractHTTPDestination class incorrectly assume only one empty space after "Basic" in Authorization header value.
Date Wed, 24 Feb 2016 13:21:18 GMT

    [ https://issues.apache.org/jira/browse/CXF-6492?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15162966#comment-15162966
] 

ASF GitHub Bot commented on CXF-6492:
-------------------------------------

Github user sberyozkin commented on the pull request:

    https://github.com/apache/cxf/pull/81#issuecomment-188252113
  
    Hi - did not see your pull request before applying my own fix - hope you are ok with the
fix applied, thanks


> AbstractHTTPDestination class incorrectly assume only one empty space after "Basic" in
Authorization header value. 
> -------------------------------------------------------------------------------------------------------------------
>
>                 Key: CXF-6492
>                 URL: https://issues.apache.org/jira/browse/CXF-6492
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS
>    Affects Versions: 2.7.16, 3.1.1
>            Reporter: Sagara Gunathunga 
>            Assignee: Sergey Beryozkin
>             Fix For: 3.2.0, 3.1.6, 3.0.9
>
>
> getAuthorizationPolicyFromMessage() method in AbstractHTTPDestination class  incorrectly
assume only one empty space after "Basic" in Authorization header value but one can send multiple
empty spaces after "Basic" string or can skip the content after "Basic" string in both cases
CXF returns Java exceptions along with stack trace to the client side. 
> case -1  : curl http://localhost:8080/hello/echo/hello -H "Authorization:Basic  YWRtaW46YWRtaW4="
  ( 2 whitespace characters after "Basic" )
> java.lang.NullPointerException
> 	at java.lang.String.&lt;init&gt;(String.java:556)
> 	at org.apache.cxf.transport.http.AbstractHTTPDestination.getAuthorizationPolicyFromMessage(AbstractHTTPDestination.java:167)
> 	at org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:385)
> 	at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:236)
> 	at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
> 	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
> 	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
> 	at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
> 	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
> 	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:217)
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)
> case - 2 : curl http://localhost:8080/hello/echo/hello -H "Authorization:Basic" ( No
content after "Basic") 
>  
> Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.ArrayIndexOutOfBoundsException:
1
> 	at org.apache.cxf.transport.http.AbstractHTTPDestination.getAuthorizationPolicyFromMessage(AbstractHTTPDestination.java:165)
> 	at org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:385)
> 	at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:236)
> 	at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
> 	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
> 	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
> 	at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
> 	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
> 	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:217)
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message