You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Glen Mazza (JIRA)" <ji...@apache.org> on 2008/04/01 01:48:24 UTC

[jira] Closed: (CXF-1495) AbstractHTTPDestination not propperly handling zero-length passwords in Basic Authorization header

     [ https://issues.apache.org/jira/browse/CXF-1495?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Glen Mazza closed CXF-1495.
---------------------------

    Resolution: Fixed
      Assignee: Glen Mazza

Patch applied (you'll see it in a day or two after Dan K moves it to 2.0.5)  Thanks!


> AbstractHTTPDestination not propperly handling zero-length passwords in Basic Authorization header
> --------------------------------------------------------------------------------------------------
>
>                 Key: CXF-1495
>                 URL: https://issues.apache.org/jira/browse/CXF-1495
>             Project: CXF
>          Issue Type: Bug
>          Components: Transports
>         Environment: Snapshot 30 Jan, 2008
>            Reporter: Chris Wolf
>            Assignee: Glen Mazza
>            Priority: Minor
>
> When deploying the CXF servlet to a Siteminder-protected web app, Siteminder will modify the Basic Authorization
> header and blank out the password for increased security, since subsequent requests are already authenticated via the encrypted
> Siteminder cookie.    Zero-length passwords in the Basic Authorization headers are permitted per RFC-2617:
> http://www.rfc.net/rfc2617.html#p5
> The symptom is the following stack trace trace:
> ava.lang.ArrayIndexOutOfBoundsException: 1
> org.apache.cxf.transport.http.AbstractHTTPDestination.setHeaders(AbstractHTTPDestination.java:137)
> org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:286)
> org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:82)
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:213)
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:150)
> org.apache.cxf.transport.servlet.AbstractCXFServlet.invoke(AbstractCXFServlet.java:170)
> org.apache.cxf.transport.servlet.AbstractCXFServlet.doPost(AbstractCXFServlet.java:148)
> javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
> javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
> The fix is to change one line in:
> org.apache.cxf.transport.http.AbstractHTTPDestination, line 137 (snapshot
> 2008-01-30)
> Change the line from:
> String password = authInfo[1];
> ...to:
> String password = (authInfo.length>1?authInfo[1]:"");

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.