[
https://issues.apache.org/jira/browse/CXF-6492?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14620305#comment-14620305
]
Sergey Beryozkin edited comment on CXF-6492 at 7/9/15 10:45 AM:
----------------------------------------------------------------
Can you please tell which client does put 2 spaces in
{noformat}
"Basic credentials"
{noformat}
For example, I'm not sure the following is valid:
{noformat}
"Basic credentials"
{noformat}
where it is 40 spaces, so why 2 spaces should be supported ?
was (Author: sergey_beryozkin):
Can you please tell which client does put 2 spaces in
{noformat}
"Basic credentials" ?
{noformat}
For example, I'm not sure the following is valid:
{noformat}
"Basic credentials"
{noformat}
where it is 40 spaces, so why 2 spaces should be supported ?
> AbstractHTTPDestination class incorrectly assume only one empty space after
> "Basic" in Authorization header value.
> -------------------------------------------------------------------------------------------------------------------
>
> Key: CXF-6492
> URL: https://issues.apache.org/jira/browse/CXF-6492
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS
> Affects Versions: 2.7.16, 3.1.1
> Reporter: Sagara Gunathunga
>
> getAuthorizationPolicyFromMessage() method in AbstractHTTPDestination class
> incorrectly assume only one empty space after "Basic" in Authorization header
> value but one can send multiple empty spaces after "Basic" string or can skip
> the content after "Basic" string in both cases CXF returns Java exceptions
> along with stack trace to the client side.
> case -1 : curl http://localhost:8080/hello/echo/hello -H
> "Authorization:Basic YWRtaW46YWRtaW4=" ( 2 whitespace characters after
> "Basic" )
> java.lang.NullPointerException
> at java.lang.String.<init>(String.java:556)
> at
> org.apache.cxf.transport.http.AbstractHTTPDestination.getAuthorizationPolicyFromMessage(AbstractHTTPDestination.java:167)
> at
> org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:385)
> at
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:236)
> at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
> at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
> at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
> at
> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:217)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)
> case - 2 : curl http://localhost:8080/hello/echo/hello -H
> "Authorization:Basic" ( No content after "Basic")
>
> Server Error</pre></p><h3>Caused
> by:</h3><pre>java.lang.ArrayIndexOutOfBoundsException: 1
> at
> org.apache.cxf.transport.http.AbstractHTTPDestination.getAuthorizationPolicyFromMessage(AbstractHTTPDestination.java:165)
> at
> org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:385)
> at
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:236)
> at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
> at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
> at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
> at
> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:217)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
