Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-6492

AbstractHTTPDestination class incorrectly assume only one empty space after "Basic" in Authorization header value.

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.7.16, 3.1.1
    • 3.1.6, 3.0.9, 3.2.0
    • JAX-RS
    • None
    • Unknown
    • Patch

    Description

      getAuthorizationPolicyFromMessage() method in AbstractHTTPDestination class incorrectly assume only one empty space after "Basic" in Authorization header value but one can send multiple empty spaces after "Basic" string or can skip the content after "Basic" string in both cases CXF returns Java exceptions along with stack trace to the client side.

      case -1 : curl http://localhost:8080/hello/echo/hello -H "Authorization:Basic YWRtaW46YWRtaW4=" ( 2 whitespace characters after "Basic" )

      java.lang.NullPointerException
      at java.lang.String.<init>(String.java:556)
      at org.apache.cxf.transport.http.AbstractHTTPDestination.getAuthorizationPolicyFromMessage(AbstractHTTPDestination.java:167)
      at org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:385)
      at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:236)
      at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
      at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
      at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
      at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
      at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
      at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:217)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)

      case - 2 : curl http://localhost:8080/hello/echo/hello -H "Authorization:Basic" ( No content after "Basic")

      Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.ArrayIndexOutOfBoundsException: 1
      at org.apache.cxf.transport.http.AbstractHTTPDestination.getAuthorizationPolicyFromMessage(AbstractHTTPDestination.java:165)
      at org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:385)
      at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:236)
      at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
      at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
      at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
      at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
      at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
      at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:217)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)

      Attachments

        Activity

          People

            sergey_beryozkin Sergey Beryozkin
            sagara Sagara Gunathunga
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: