This is an automated email from the ASF dual-hosted git repository. robertlazarski pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-core.git
commit 754a25817040daa3e8374f861bf274438d7e26e1 Author: Robert Lazarski <[email protected]> AuthorDate: Sun Apr 19 21:42:29 2026 -1000 AXIS2-6055 Restrict preemptive Basic Auth to HTTPS connections Preemptive authentication sends credentials on the first request without waiting for a 401 challenge. Over plain HTTP, base64-encoded credentials are trivially interceptable. Add HTTPS check: preemptive auth only sends the Authorization header when the connection scheme is HTTPS. On HTTP, logs a warning and skips preemptive auth — credentials will still be sent via the normal challenge/response flow if the server requests them. Found by local Gemini Pro security review. --- .../axis2/transport/http/impl/httpclient5/RequestImpl.java | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/modules/transport/http/src/main/java/org/apache/axis2/transport/http/impl/httpclient5/RequestImpl.java b/modules/transport/http/src/main/java/org/apache/axis2/transport/http/impl/httpclient5/RequestImpl.java index f81d8abb80..1e69b03d1d 100644 --- a/modules/transport/http/src/main/java/org/apache/axis2/transport/http/impl/httpclient5/RequestImpl.java +++ b/modules/transport/http/src/main/java/org/apache/axis2/transport/http/impl/httpclient5/RequestImpl.java @@ -339,10 +339,17 @@ final class RequestImpl implements Request { // AXIS2-6055: Preemptive authentication — send credentials on the first // request without waiting for a 401 challenge. This was supported in // Axis2 1.7 (HC 4) but the TODO was never implemented for HC 5. + // Only applies to Basic auth over HTTPS to prevent credential exposure. if (authenticator.getPreemptiveAuthentication() && username != null && password != null) { - String credentials = username + ":" + password; - String encoded = java.util.Base64.getEncoder().encodeToString(credentials.getBytes(java.nio.charset.StandardCharsets.UTF_8)); - httpRequestMethod.setHeader("Authorization", "Basic " + encoded); + String scheme = httpRequestMethod.getScheme(); + if (!"https".equalsIgnoreCase(scheme)) { + log.warn("Preemptive authentication skipped: connection is not HTTPS. " + + "Credentials will not be sent preemptively over an insecure connection."); + } else { + String credentials = username + ":" + password; + String encoded = java.util.Base64.getEncoder().encodeToString(credentials.getBytes(java.nio.charset.StandardCharsets.UTF_8)); + httpRequestMethod.setHeader("Authorization", "Basic " + encoded); + } } /* Customizing the priority Order */
