Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-6492

AbstractHTTPDestination class incorrectly assume only one empty space after "Basic" in Authorization header value.

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.7.16, 3.1.1
    • Fix Version/s: 3.1.6, 3.0.9, 3.2.0
    • Component/s: JAX-RS
    • Labels:
      None
    • Estimated Complexity:
      Unknown
    • Flags:
      Patch

      Description

      getAuthorizationPolicyFromMessage() method in AbstractHTTPDestination class incorrectly assume only one empty space after "Basic" in Authorization header value but one can send multiple empty spaces after "Basic" string or can skip the content after "Basic" string in both cases CXF returns Java exceptions along with stack trace to the client side.

      case -1 : curl http://localhost:8080/hello/echo/hello -H "Authorization:Basic YWRtaW46YWRtaW4=" ( 2 whitespace characters after "Basic" )

      java.lang.NullPointerException
      at java.lang.String.<init>(String.java:556)
      at org.apache.cxf.transport.http.AbstractHTTPDestination.getAuthorizationPolicyFromMessage(AbstractHTTPDestination.java:167)
      at org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:385)
      at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:236)
      at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
      at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
      at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
      at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
      at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
      at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:217)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)

      case - 2 : curl http://localhost:8080/hello/echo/hello -H "Authorization:Basic" ( No content after "Basic")

      Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.ArrayIndexOutOfBoundsException: 1
      at org.apache.cxf.transport.http.AbstractHTTPDestination.getAuthorizationPolicyFromMessage(AbstractHTTPDestination.java:165)
      at org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:385)
      at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:236)
      at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
      at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
      at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
      at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
      at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
      at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:217)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)

        Attachments

          Activity

            People

            • Assignee:
              sergey_beryozkin Sergey Beryozkin
              Reporter:
              sagara Sagara Gunathunga
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: