This is an automated email from the ASF dual-hosted git repository. markt-asf pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 8234a8257c3c366fe5d1ff46808ea8cae6584f95 Author: Mark Thomas <[email protected]> AuthorDate: Wed Jun 24 22:28:28 2026 +0100 Reject BASIC auth with empty user name --- java/org/apache/catalina/authenticator/BasicAuthenticator.java | 2 ++ java/org/apache/catalina/authenticator/LocalStrings.properties | 1 + test/org/apache/catalina/authenticator/TestBasicAuthParser.java | 4 +--- webapps/docs/changelog.xml | 4 ++++ 4 files changed, 8 insertions(+), 3 deletions(-) diff --git a/java/org/apache/catalina/authenticator/BasicAuthenticator.java b/java/org/apache/catalina/authenticator/BasicAuthenticator.java index 364d383b29..4a0c8fcc6f 100644 --- a/java/org/apache/catalina/authenticator/BasicAuthenticator.java +++ b/java/org/apache/catalina/authenticator/BasicAuthenticator.java @@ -243,6 +243,8 @@ public class BasicAuthenticator extends AuthenticatorBase { // Null password is not allowed according to RFC 7617 if (colon < 0) { throw new IllegalArgumentException(sm.getString("basicAuthenticator.noColon")); + } else if (colon == 0) { + throw new IllegalArgumentException(sm.getString("basicAuthenticator.emptyUsername")); } else { username = new String(decoded, 0, colon, charset); password = new String(decoded, colon + 1, decoded.length - colon - 1, charset); diff --git a/java/org/apache/catalina/authenticator/LocalStrings.properties b/java/org/apache/catalina/authenticator/LocalStrings.properties index 22ba239883..f3080615d7 100644 --- a/java/org/apache/catalina/authenticator/LocalStrings.properties +++ b/java/org/apache/catalina/authenticator/LocalStrings.properties @@ -39,6 +39,7 @@ authenticator.unauthorized=Cannot authenticate with the provided credentials authenticator.userDataPermissionFail=User data does not comply with the constraints of the resource authenticator.userPermissionFail=User [{0}] does not have authorization to access the resource +basicAuthenticator.emptyUsername=RFC 7613 does not permit empty user names basicAuthenticator.invalidAuthorization=Invalid Authorization header basicAuthenticator.invalidCharset=The only permitted values are null, the empty string or UTF-8 basicAuthenticator.noColon=Basic Authorization credentials do not contain a colon diff --git a/test/org/apache/catalina/authenticator/TestBasicAuthParser.java b/test/org/apache/catalina/authenticator/TestBasicAuthParser.java index 9d3e6aba92..5cfeeea034 100644 --- a/test/org/apache/catalina/authenticator/TestBasicAuthParser.java +++ b/test/org/apache/catalina/authenticator/TestBasicAuthParser.java @@ -165,14 +165,12 @@ public class TestBasicAuthParser { Assert.assertNotSame(PASSWORD, credentials.getPassword()); } - @Test + @Test(expected = IllegalArgumentException.class) public void testMissingUsername() throws Exception { final String EMPTY_USER_NAME = ""; final BasicAuthHeader AUTH_HEADER = new BasicAuthHeader(NICE_METHOD, EMPTY_USER_NAME, PASSWORD); BasicAuthenticator.BasicCredentials credentials = new BasicAuthenticator.BasicCredentials(AUTH_HEADER.getHeader(), StandardCharsets.UTF_8); - Assert.assertEquals(EMPTY_USER_NAME, credentials.getUsername()); - Assert.assertEquals(PASSWORD, credentials.getPassword()); } @Test diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index cbc17e7130..c62a14355a 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -221,6 +221,10 @@ Reject BASIC authorization with no password, to comply with RFC 7617 strictly. (remm) </fix> + <fix> + Reject BASIC authorization with empty user names as required by RFC + 7613. (markt) + </fix> <!-- Entries for backport and removal before 12.0.0-M1 below this line --> <fix> Avoid a race condition with concurrent lookups for a singleton JNDI --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
