[jira] [Created] (CXF-6492) AbstractHTTPDestination class incorrectly assume only one empty space after "Basic" in Authorization header value.

Thu, 09 Jul 2015 03:20:47 -0700 

Sagara Gunathunga  created CXF-6492:
---------------------------------------

             Summary: AbstractHTTPDestination class incorrectly assume only one 
empty space after "Basic" in Authorization header value. 
                 Key: CXF-6492
                 URL: https://issues.apache.org/jira/browse/CXF-6492
             Project: CXF
          Issue Type: Bug
          Components: JAX-RS
    Affects Versions: 3.1.1, 2.7.16
            Reporter: Sagara Gunathunga 


getAuthorizationPolicyFromMessage() method in AbstractHTTPDestination class  
incorrectly assume only one empty space after "Basic" in Authorization header 
value but one can send multiple empty spaces after "Basic" string or can skip 
the content after "Basic" string in both cases CXF returns Java exceptions 
along with stack trace to the client side. 

case -1  : curl http://localhost:8080/hello/echo/hello -H "Authorization:Basic  
YWRtaW46YWRtaW4="   ( 2 whitespace characters after "Basic" )

java.lang.NullPointerException
        at java.lang.String.<init>(String.java:556)
        at 
org.apache.cxf.transport.http.AbstractHTTPDestination.getAuthorizationPolicyFromMessage(AbstractHTTPDestination.java:167)
        at 
org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:385)
        at 
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:236)
        at 
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
        at 
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
        at 
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
        at 
org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
        at 
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
        at 
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:217)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)

case - 2 : curl http://localhost:8080/hello/echo/hello -H "Authorization:Basic" 
( No content after "Basic") 
 
Server Error</pre></p><h3>Caused 
by:</h3><pre>java.lang.ArrayIndexOutOfBoundsException: 1
        at 
org.apache.cxf.transport.http.AbstractHTTPDestination.getAuthorizationPolicyFromMessage(AbstractHTTPDestination.java:165)
        at 
org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:385)
        at 
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:236)
        at 
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
        at 
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
        at 
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
        at 
org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
        at 
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
        at 
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:217)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to