This is an automated email from the ASF dual-hosted git repository. radcortez pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomee.git
commit 8fa7252ee13de41f2ee1f3df97ade266d5ce786d Author: Roberto Cortez <[email protected]> AuthorDate: Wed Dec 26 17:45:22 2018 +0000 TOMEE-2365 - Fixed NPE on empty Authorization header. --- .../security/cdi/BasicAuthenticationMechanism.java | 10 ++- .../security/servlet/BasicAuthServletTest.java | 76 ++++++++++++++++++++++ 2 files changed, 83 insertions(+), 3 deletions(-) diff --git a/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/BasicAuthenticationMechanism.java b/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/BasicAuthenticationMechanism.java index f4c4722..3bb5bea 100644 --- a/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/BasicAuthenticationMechanism.java +++ b/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/BasicAuthenticationMechanism.java @@ -28,6 +28,7 @@ import javax.security.enterprise.credential.BasicAuthenticationCredential; import javax.security.enterprise.identitystore.CredentialValidationResult; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import java.util.Optional; import static javax.security.enterprise.identitystore.CredentialValidationResult.Status.VALID; import static javax.ws.rs.core.HttpHeaders.AUTHORIZATION; @@ -79,8 +80,11 @@ public class BasicAuthenticationMechanism implements HttpAuthenticationMechanism } private BasicAuthenticationCredential parseAuthenticationHeader(final String authenticationHeader) { - return !authenticationHeader.isEmpty() && authenticationHeader.startsWith("Basic ") ? - new BasicAuthenticationCredential(authenticationHeader.substring(6)) : - new BasicAuthenticationCredential(null); + return Optional.ofNullable(authenticationHeader) + .filter(header -> !header.isEmpty()) + .filter(header -> header.startsWith("Basic ")) + .map(header -> header.substring(6)) + .map(BasicAuthenticationCredential::new) + .orElseGet(() -> new BasicAuthenticationCredential("")); } } diff --git a/tomee/tomee-security/src/test/java/org/apache/tomee/security/servlet/BasicAuthServletTest.java b/tomee/tomee-security/src/test/java/org/apache/tomee/security/servlet/BasicAuthServletTest.java new file mode 100644 index 0000000..b25f169 --- /dev/null +++ b/tomee/tomee-security/src/test/java/org/apache/tomee/security/servlet/BasicAuthServletTest.java @@ -0,0 +1,76 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.tomee.security.servlet; + +import org.apache.openejb.loader.JarLocation; +import org.apache.openejb.util.NetworkUtil; +import org.apache.tomee.embedded.Configuration; +import org.apache.tomee.embedded.Container; +import org.apache.tomee.security.client.BasicAuthFilter; +import org.junit.Test; + +import javax.security.enterprise.authentication.mechanism.http.BasicAuthenticationMechanismDefinition; +import javax.servlet.ServletException; +import javax.servlet.annotation.HttpConstraint; +import javax.servlet.annotation.ServletSecurity; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.ws.rs.client.ClientBuilder; +import java.io.IOException; + +import static org.junit.Assert.assertEquals; + +public class BasicAuthServletTest { + @Test + public void testWebApp() throws Exception { + try (Container container = new Container( + new Configuration() + .conf("conf") + .http(NetworkUtil.getNextAvailablePort()) + .property("openejb.container.additional.exclude", "org.apache.tomee.security.") + .property("openejb.additional.include", "tomee-")) + .deployPathsAsWebapp( + JarLocation.jarLocation(SimpleServletTest.class), + JarLocation.jarLocation(TomEESecurityServletContainerInitializer.class))) { + + final String servlet = "http://localhost:"; + container.getConfiguration().getHttpPort() + "/basic"; + + assertEquals(401, ClientBuilder.newBuilder().build() + .target(servlet) + .request() + .get().getStatus()); + + assertEquals(200, ClientBuilder.newBuilder().register(new BasicAuthFilter()).build() + .target(servlet) + .request() + .get().getStatus()); + } + } + + @WebServlet(urlPatterns = "/basic") + @ServletSecurity(@HttpConstraint(rolesAllowed = "tomcat")) + @BasicAuthenticationMechanismDefinition + public static class TestServlet extends HttpServlet { + @Override + protected void doGet(final HttpServletRequest req, final HttpServletResponse resp) + throws ServletException, IOException { + resp.getWriter().write("ok!"); + } + } +}
