I'm not sure I'm looking at the right place if anything should be done or if this should be an issue at all. I did a quick glance through the HTTP authentication specification (RFC 2617 and 7235) and OAuth2 authorization specification (6749) but nothing came up regarding what should happen if empty Authorization header is sent.
Yes I guess the only way now is to use a filter. I'll see how it can be done. Thanks, cheers. Regards, Allan C. On Fri, Jul 29, 2016 at 9:38 PM, Sergey Beryozkin <[email protected]> wrote: > I suppose if Authorization is empty then one option is to assume the blank > credentials are provided. Is there some text around supporting it ? We > might be able to fix it for 3.1.8 > > I guess for now you can register a servlet filter to deal with the empty > header. > > Cheers, Sergey > > > On 29/07/16 10:55, Allan C. wrote: > >> Dear all, >> >> I am testing on a REST api, running on CXF 3.1.6 over pax-web 4.2.6. The >> API accepts a header "Authorization". >> >> The problem is that if the value is provided for the header, everything is >> fine and the behaviour is expected (HTTP status 401 or 200, depending if >> the value is correct or not). However, if the header is an empty String, >> the following exception is thrown: >> >> java.lang.IndexOutOfBoundsException: Index: 0, Size: 0 >> at java.util.ArrayList.rangeCheck(ArrayList.java:653)[:1.8.0_102] >> at java.util.ArrayList.get(ArrayList.java:429)[:1.8.0_102] >> at >> >> org.apache.cxf.transport.http.Headers.getAuthorization(Headers.java:528)[121:org.apache.cxf.cxf-rt-transports-http:3.1.5] >> at >> >> org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:390)[121:org.apache.cxf.cxf-rt-transports-http:3.1.5] >> at >> >> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:238)[121:org.apache.cxf.cxf-rt-transports-http:3.1.5] >> at >> >> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)[121:org.apache.cxf.cxf-rt-transports-http:3.1.5] >> at >> >> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)[121:org.apache.cxf.cxf-rt-transports-http:3.1.5] >> at >> >> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)[121:org.apache.cxf.cxf-rt-transports-http:3.1.5] >> at >> >> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:180)[121:org.apache.cxf.cxf-rt-transports-http:3.1.5] >> at >> >> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:298)[121:org.apache.cxf.cxf-rt-transports-http:3.1.5] >> at >> >> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:222)[121:org.apache.cxf.cxf-rt-transports-http:3.1.5] >> at >> >> javax.servlet.http.HttpServlet.service(HttpServlet.java:687)[73:javax.servlet-api:3.1.0] >> at >> >> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:273)[121:org.apache.cxf.cxf-rt-transports-http:3.1.5] >> at >> >> org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)[175:org.eclipse.jetty.servlet:9.2.15.v20160210] >> at >> >> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)[175:org.eclipse.jetty.servlet:9.2.15.v20160210] >> at >> >> org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:71)[199:org.ops4j.pax.web.pax-web-jetty:4.2.6] >> at >> >> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)[174:org.eclipse.jetty.server:9.2.15.v20160210] >> at >> >> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)[173:org.eclipse.jetty.security:9.2.15.v20160210] >> at >> >> org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)[174:org.eclipse.jetty.server:9.2.15.v20160210] >> at >> >> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)[174:org.eclipse.jetty.server:9.2.15.v20160210] >> at >> >> org.ops4j.pax.web.service.jetty.internal.HttpServiceContext.doHandle(HttpServiceContext.java:276)[199:org.ops4j.pax.web.pax-web-jetty:4.2.6] >> at >> >> org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)[175:org.eclipse.jetty.servlet:9.2.15.v20160210] >> at >> >> org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)[174:org.eclipse.jetty.server:9.2.15.v20160210] >> at >> >> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)[174:org.eclipse.jetty.server:9.2.15.v20160210] >> at >> >> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)[174:org.eclipse.jetty.server:9.2.15.v20160210] >> at >> >> org.ops4j.pax.web.service.jetty.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:80)[199:org.ops4j.pax.web.pax-web-jetty:4.2.6] >> at >> >> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)[174:org.eclipse.jetty.server:9.2.15.v20160210] >> at >> >> org.eclipse.jetty.server.Server.handle(Server.java:499)[174:org.eclipse.jetty.server:9.2.15.v20160210] >> at >> >> org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)[174:org.eclipse.jetty.server:9.2.15.v20160210] >> at >> >> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)[174:org.eclipse.jetty.server:9.2.15.v20160210] >> at >> org.eclipse.jetty.io >> .AbstractConnection$2.run(AbstractConnection.java:544)[166: >> org.eclipse.jetty.io:9 >> .2.15.v20160210] >> at >> >> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)[177:org.eclipse.jetty.util:9.2.15.v20160210] >> at >> >> org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)[177:org.eclipse.jetty.util:9.2.15.v20160210] >> at java.lang.Thread.run(Thread.java:745)[:1.8.0_102] >> >> The returned response body is an HTML, showing the stacktrace. May I know >> if there's a way to alter this behaviour to return an empty response body >> and/or throw an application exception? >> >> Thanks. >> >> Regards, >> Allan C. >> >> > > -- > Sergey Beryozkin > > Talend Community Coders > http://coders.talend.com/ >
