You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by ra...@apache.org on 2019/01/09 17:26:10 UTC
[tomee] 22/48: TOMEE-2365 - Fixed NPE on empty Authorization header.
This is an automated email from the ASF dual-hosted git repository.
radcortez pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomee.git
commit 8fa7252ee13de41f2ee1f3df97ade266d5ce786d
Author: Roberto Cortez <ra...@yahoo.com>
AuthorDate: Wed Dec 26 17:45:22 2018 +0000
TOMEE-2365 - Fixed NPE on empty Authorization header.
---
.../security/cdi/BasicAuthenticationMechanism.java | 10 ++-
.../security/servlet/BasicAuthServletTest.java | 76 ++++++++++++++++++++++
2 files changed, 83 insertions(+), 3 deletions(-)
diff --git a/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/BasicAuthenticationMechanism.java b/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/BasicAuthenticationMechanism.java
index f4c4722..3bb5bea 100644
--- a/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/BasicAuthenticationMechanism.java
+++ b/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/BasicAuthenticationMechanism.java
@@ -28,6 +28,7 @@ import javax.security.enterprise.credential.BasicAuthenticationCredential;
import javax.security.enterprise.identitystore.CredentialValidationResult;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import java.util.Optional;
import static javax.security.enterprise.identitystore.CredentialValidationResult.Status.VALID;
import static javax.ws.rs.core.HttpHeaders.AUTHORIZATION;
@@ -79,8 +80,11 @@ public class BasicAuthenticationMechanism implements HttpAuthenticationMechanism
}
private BasicAuthenticationCredential parseAuthenticationHeader(final String authenticationHeader) {
- return !authenticationHeader.isEmpty() && authenticationHeader.startsWith("Basic ") ?
- new BasicAuthenticationCredential(authenticationHeader.substring(6)) :
- new BasicAuthenticationCredential(null);
+ return Optional.ofNullable(authenticationHeader)
+ .filter(header -> !header.isEmpty())
+ .filter(header -> header.startsWith("Basic "))
+ .map(header -> header.substring(6))
+ .map(BasicAuthenticationCredential::new)
+ .orElseGet(() -> new BasicAuthenticationCredential(""));
}
}
diff --git a/tomee/tomee-security/src/test/java/org/apache/tomee/security/servlet/BasicAuthServletTest.java b/tomee/tomee-security/src/test/java/org/apache/tomee/security/servlet/BasicAuthServletTest.java
new file mode 100644
index 0000000..b25f169
--- /dev/null
+++ b/tomee/tomee-security/src/test/java/org/apache/tomee/security/servlet/BasicAuthServletTest.java
@@ -0,0 +1,76 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomee.security.servlet;
+
+import org.apache.openejb.loader.JarLocation;
+import org.apache.openejb.util.NetworkUtil;
+import org.apache.tomee.embedded.Configuration;
+import org.apache.tomee.embedded.Container;
+import org.apache.tomee.security.client.BasicAuthFilter;
+import org.junit.Test;
+
+import javax.security.enterprise.authentication.mechanism.http.BasicAuthenticationMechanismDefinition;
+import javax.servlet.ServletException;
+import javax.servlet.annotation.HttpConstraint;
+import javax.servlet.annotation.ServletSecurity;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.ws.rs.client.ClientBuilder;
+import java.io.IOException;
+
+import static org.junit.Assert.assertEquals;
+
+public class BasicAuthServletTest {
+ @Test
+ public void testWebApp() throws Exception {
+ try (Container container = new Container(
+ new Configuration()
+ .conf("conf")
+ .http(NetworkUtil.getNextAvailablePort())
+ .property("openejb.container.additional.exclude", "org.apache.tomee.security.")
+ .property("openejb.additional.include", "tomee-"))
+ .deployPathsAsWebapp(
+ JarLocation.jarLocation(SimpleServletTest.class),
+ JarLocation.jarLocation(TomEESecurityServletContainerInitializer.class))) {
+
+ final String servlet = "http://localhost:" + container.getConfiguration().getHttpPort() + "/basic";
+
+ assertEquals(401, ClientBuilder.newBuilder().build()
+ .target(servlet)
+ .request()
+ .get().getStatus());
+
+ assertEquals(200, ClientBuilder.newBuilder().register(new BasicAuthFilter()).build()
+ .target(servlet)
+ .request()
+ .get().getStatus());
+ }
+ }
+
+ @WebServlet(urlPatterns = "/basic")
+ @ServletSecurity(@HttpConstraint(rolesAllowed = "tomcat"))
+ @BasicAuthenticationMechanismDefinition
+ public static class TestServlet extends HttpServlet {
+ @Override
+ protected void doGet(final HttpServletRequest req, final HttpServletResponse resp)
+ throws ServletException, IOException {
+ resp.getWriter().write("ok!");
+ }
+ }
+}