You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Chris Wolf (JIRA)" <ji...@apache.org> on 2008/03/31 21:58:25 UTC

[jira] Updated: (CXF-1495) AbstractHTTPDestination not propperly handling zero-length passwords in Basic Authorization header

     [ https://issues.apache.org/jira/browse/CXF-1495?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Chris Wolf updated CXF-1495:
----------------------------

    Description: 

When deploying the CXF servlet to a Siteminder-protected web app, Siteminder will modify the Basic Authorization
header and blank out the password since subsequent requests are already authenticated via the encrypted
Siteminder cookie.    Zero-lenght passwords in the Basic Authorization headers are permitted per RFC-2617:
http://www.rfc.net/rfc2617.html#p5

The symptom is the following stace trace:

ava.lang.ArrayIndexOutOfBoundsException: 1
org.apache.cxf.transport.http.AbstractHTTPDestination.setHeaders(AbstractHTTPDestination.java:137)
org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:286)
org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:82)
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:213)
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:150)
org.apache.cxf.transport.servlet.AbstractCXFServlet.invoke(AbstractCXFServlet.java:170)
org.apache.cxf.transport.servlet.AbstractCXFServlet.doPost(AbstractCXFServlet.java:148)
javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
javax.servlet.http.HttpServlet.service(HttpServlet.java:802)

The fix is to change one line in:
org.apache.cxf.transport.http.AbstractHTTPDestination, line 137 (snapshot
2008-01-30)

Change the line from:
String password = authInfo[1];

...to:

String password = (authInfo.length>1?authInfo[1]:"");





  was:

When deployin the CXF servlet to a Siteminder-protected web app, Siteminder will modify the Basic Authorization
header and blank out the password since subsequent requests are already authenticated via the encrypted
Siteminder cookie.    Zero-lenght passwords in the Basic Authorization headers are permitted per RFC-2617:
http://www.rfc.net/rfc2617.html#p5

The symptom is the following stace trace:

ava.lang.ArrayIndexOutOfBoundsException: 1
org.apache.cxf.transport.http.AbstractHTTPDestination.setHeaders(AbstractHTTPDestination.java:137)
org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:286)
org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:82)
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:213)
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:150)
org.apache.cxf.transport.servlet.AbstractCXFServlet.invoke(AbstractCXFServlet.java:170)
org.apache.cxf.transport.servlet.AbstractCXFServlet.doPost(AbstractCXFServlet.java:148)
javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
javax.servlet.http.HttpServlet.service(HttpServlet.java:802)

The fix is to change one line in:
org.apache.cxf.transport.http.AbstractHTTPDestination, line 137 (snapshot
2008-01-30)

Change the line from:
String password = authInfo[1];

...to:

String password = (authInfo.length>1?authInfo[1]:"");






> AbstractHTTPDestination not propperly handling zero-length passwords in Basic Authorization header
> --------------------------------------------------------------------------------------------------
>
>                 Key: CXF-1495
>                 URL: https://issues.apache.org/jira/browse/CXF-1495
>             Project: CXF
>          Issue Type: Bug
>          Components: Transports
>         Environment: Snapshot 30 Jan, 2008
>            Reporter: Chris Wolf
>            Priority: Minor
>
> When deploying the CXF servlet to a Siteminder-protected web app, Siteminder will modify the Basic Authorization
> header and blank out the password since subsequent requests are already authenticated via the encrypted
> Siteminder cookie.    Zero-lenght passwords in the Basic Authorization headers are permitted per RFC-2617:
> http://www.rfc.net/rfc2617.html#p5
> The symptom is the following stace trace:
> ava.lang.ArrayIndexOutOfBoundsException: 1
> org.apache.cxf.transport.http.AbstractHTTPDestination.setHeaders(AbstractHTTPDestination.java:137)
> org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:286)
> org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:82)
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:213)
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:150)
> org.apache.cxf.transport.servlet.AbstractCXFServlet.invoke(AbstractCXFServlet.java:170)
> org.apache.cxf.transport.servlet.AbstractCXFServlet.doPost(AbstractCXFServlet.java:148)
> javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
> javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
> The fix is to change one line in:
> org.apache.cxf.transport.http.AbstractHTTPDestination, line 137 (snapshot
> 2008-01-30)
> Change the line from:
> String password = authInfo[1];
> ...to:
> String password = (authInfo.length>1?authInfo[1]:"");

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.