Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-6492

AbstractHTTPDestination class incorrectly assume only one empty space after "Basic" in Authorization header value.

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.7.16, 3.1.1
    • 3.1.6, 3.0.9, 3.2.0
    • JAX-RS
    • None
    • Unknown
    • Patch

    Description

      getAuthorizationPolicyFromMessage() method in AbstractHTTPDestination class incorrectly assume only one empty space after "Basic" in Authorization header value but one can send multiple empty spaces after "Basic" string or can skip the content after "Basic" string in both cases CXF returns Java exceptions along with stack trace to the client side.

      case -1 : curl http://localhost:8080/hello/echo/hello -H "Authorization:Basic YWRtaW46YWRtaW4=" ( 2 whitespace characters after "Basic" )

      java.lang.NullPointerException
      at java.lang.String.<init>(String.java:556)
      at org.apache.cxf.transport.http.AbstractHTTPDestination.getAuthorizationPolicyFromMessage(AbstractHTTPDestination.java:167)
      at org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:385)
      at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:236)
      at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
      at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
      at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
      at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
      at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
      at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:217)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)

      case - 2 : curl http://localhost:8080/hello/echo/hello -H "Authorization:Basic" ( No content after "Basic")

      Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.ArrayIndexOutOfBoundsException: 1
      at org.apache.cxf.transport.http.AbstractHTTPDestination.getAuthorizationPolicyFromMessage(AbstractHTTPDestination.java:165)
      at org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:385)
      at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:236)
      at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
      at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
      at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
      at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
      at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
      at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:217)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)

      Attachments

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            sergey_beryozkin Sergey Beryozkin
            sagara Sagara Gunathunga
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment