You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Sergey Beryozkin (JIRA)" <ji...@apache.org> on 2016/02/24 14:05:18 UTC
[jira] [Resolved] (CXF-6492) AbstractHTTPDestination class
incorrectly assume only one empty space after "Basic" in Authorization
header value.
[ https://issues.apache.org/jira/browse/CXF-6492?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sergey Beryozkin resolved CXF-6492.
-----------------------------------
Resolution: Fixed
Assignee: Sergey Beryozkin
Fix Version/s: 3.0.9
3.1.6
3.2.0
> AbstractHTTPDestination class incorrectly assume only one empty space after "Basic" in Authorization header value.
> -------------------------------------------------------------------------------------------------------------------
>
> Key: CXF-6492
> URL: https://issues.apache.org/jira/browse/CXF-6492
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS
> Affects Versions: 2.7.16, 3.1.1
> Reporter: Sagara Gunathunga
> Assignee: Sergey Beryozkin
> Fix For: 3.2.0, 3.1.6, 3.0.9
>
>
> getAuthorizationPolicyFromMessage() method in AbstractHTTPDestination class incorrectly assume only one empty space after "Basic" in Authorization header value but one can send multiple empty spaces after "Basic" string or can skip the content after "Basic" string in both cases CXF returns Java exceptions along with stack trace to the client side.
> case -1 : curl http://localhost:8080/hello/echo/hello -H "Authorization:Basic YWRtaW46YWRtaW4=" ( 2 whitespace characters after "Basic" )
> java.lang.NullPointerException
> at java.lang.String.<init>(String.java:556)
> at org.apache.cxf.transport.http.AbstractHTTPDestination.getAuthorizationPolicyFromMessage(AbstractHTTPDestination.java:167)
> at org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:385)
> at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:236)
> at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
> at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
> at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
> at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
> at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
> at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:217)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)
> case - 2 : curl http://localhost:8080/hello/echo/hello -H "Authorization:Basic" ( No content after "Basic")
>
> Server Error</pre></p><h3>Caused by:</h3><pre>java.lang.ArrayIndexOutOfBoundsException: 1
> at org.apache.cxf.transport.http.AbstractHTTPDestination.getAuthorizationPolicyFromMessage(AbstractHTTPDestination.java:165)
> at org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:385)
> at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:236)
> at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
> at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
> at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
> at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
> at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
> at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:217)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:735)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)