[
https://issues.apache.org/jira/browse/CXF-6492?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14620787#comment-14620787
]
Sagara Gunathunga commented on CXF-6492:
-----------------------------------------
@Sergey These are my concerns.
1.) I'm not saying 2 spaces as a special case it's just an example it could be
N number of spaces.
2.) If a client send some invalid header content then server should not return
NPE or ArrayIndexOutOfBoundsException, instead IMHO if security enabled server
should returns 401 otherwise server should proceed into further processing.
The main problem here is above logic always expect 2 parts after splitting
'credentials', but when you have N number of spaces StringUtils.split() returns
3 parts also when you have only "Basic" as header content StringUtils.split()
returns only 1 part.
> AbstractHTTPDestination class incorrectly assume only one empty space after
> "Basic" in Authorization header value.
> -------------------------------------------------------------------------------------------------------------------
>
> Key: CXF-6492
> URL: https://issues.apache.org/jira/browse/CXF-6492
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS
> Affects Versions: 2.7.16, 3.1.1
> Reporter: Sagara Gunathunga
>
> getAuthorizationPolicyFromMessage() method in AbstractHTTPDestination class
> incorrectly assume only one empty space after "Basic" in Authorization header
> value but one can send multiple empty spaces after "Basic" string or can skip
> the content after "Basic" string in both cases CXF returns Java exceptions
> along with stack trace to the client side.
> case -1 : curl http://localhost:8080/hello/echo/hello -H
> "Authorization:Basic YWRtaW46YWRtaW4=" ( 2 whitespace characters after
> "Basic" )
> java.lang.NullPointerException
> at java.lang.String.<init>(String.java:556)
> at
> org.apache.cxf.transport.http.AbstractHTTPDestination.getAuthorizationPolicyFromMessage(AbstractHTTPDestination.java:167)
> at
> org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:385)
> at
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:236)
> at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
> at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
> at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
> at
> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:217)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)
> case - 2 : curl http://localhost:8080/hello/echo/hello -H
> "Authorization:Basic" ( No content after "Basic")
>
> Server Error</pre></p><h3>Caused
> by:</h3><pre>java.lang.ArrayIndexOutOfBoundsException: 1
> at
> org.apache.cxf.transport.http.AbstractHTTPDestination.getAuthorizationPolicyFromMessage(AbstractHTTPDestination.java:165)
> at
> org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:385)
> at
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:236)
> at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
> at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
> at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
> at
> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:217)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
