[
https://issues.apache.org/jira/browse/CXF-6492?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14620745#comment-14620745
]
Daniel Kulp commented on CXF-6492:
----------------------------------
Looking at the spec at https://tools.ietf.org/html/rfc7235#section-2.1 , the
"credentials" type is defined as:
{code}
credentials = auth-scheme [ 1*SP ( token68 / #auth-param ) ]
{code}
which means it needs at least one, but up to infinite, spaces. Thus, this is
valid.
> AbstractHTTPDestination class incorrectly assume only one empty space after
> "Basic" in Authorization header value.
> -------------------------------------------------------------------------------------------------------------------
>
> Key: CXF-6492
> URL: https://issues.apache.org/jira/browse/CXF-6492
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS
> Affects Versions: 2.7.16, 3.1.1
> Reporter: Sagara Gunathunga
>
> getAuthorizationPolicyFromMessage() method in AbstractHTTPDestination class
> incorrectly assume only one empty space after "Basic" in Authorization header
> value but one can send multiple empty spaces after "Basic" string or can skip
> the content after "Basic" string in both cases CXF returns Java exceptions
> along with stack trace to the client side.
> case -1 : curl http://localhost:8080/hello/echo/hello -H
> "Authorization:Basic YWRtaW46YWRtaW4=" ( 2 whitespace characters after
> "Basic" )
> java.lang.NullPointerException
> at java.lang.String.<init>(String.java:556)
> at
> org.apache.cxf.transport.http.AbstractHTTPDestination.getAuthorizationPolicyFromMessage(AbstractHTTPDestination.java:167)
> at
> org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:385)
> at
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:236)
> at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
> at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
> at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
> at
> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:217)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)
> case - 2 : curl http://localhost:8080/hello/echo/hello -H
> "Authorization:Basic" ( No content after "Basic")
>
> Server Error</pre></p><h3>Caused
> by:</h3><pre>java.lang.ArrayIndexOutOfBoundsException: 1
> at
> org.apache.cxf.transport.http.AbstractHTTPDestination.getAuthorizationPolicyFromMessage(AbstractHTTPDestination.java:165)
> at
> org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:385)
> at
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:236)
> at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
> at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
> at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
> at
> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:217)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
