You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Chris Wolf (JIRA)" <ji...@apache.org> on 2008/03/31 21:58:25 UTC
[jira] Updated: (CXF-1495) AbstractHTTPDestination not propperly
handling zero-length passwords in Basic Authorization header
[ https://issues.apache.org/jira/browse/CXF-1495?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Chris Wolf updated CXF-1495:
----------------------------
Description:
When deploying the CXF servlet to a Siteminder-protected web app, Siteminder will modify the Basic Authorization
header and blank out the password since subsequent requests are already authenticated via the encrypted
Siteminder cookie. Zero-lenght passwords in the Basic Authorization headers are permitted per RFC-2617:
http://www.rfc.net/rfc2617.html#p5
The symptom is the following stace trace:
ava.lang.ArrayIndexOutOfBoundsException: 1
org.apache.cxf.transport.http.AbstractHTTPDestination.setHeaders(AbstractHTTPDestination.java:137)
org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:286)
org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:82)
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:213)
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:150)
org.apache.cxf.transport.servlet.AbstractCXFServlet.invoke(AbstractCXFServlet.java:170)
org.apache.cxf.transport.servlet.AbstractCXFServlet.doPost(AbstractCXFServlet.java:148)
javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
The fix is to change one line in:
org.apache.cxf.transport.http.AbstractHTTPDestination, line 137 (snapshot
2008-01-30)
Change the line from:
String password = authInfo[1];
...to:
String password = (authInfo.length>1?authInfo[1]:"");
was:
When deployin the CXF servlet to a Siteminder-protected web app, Siteminder will modify the Basic Authorization
header and blank out the password since subsequent requests are already authenticated via the encrypted
Siteminder cookie. Zero-lenght passwords in the Basic Authorization headers are permitted per RFC-2617:
http://www.rfc.net/rfc2617.html#p5
The symptom is the following stace trace:
ava.lang.ArrayIndexOutOfBoundsException: 1
org.apache.cxf.transport.http.AbstractHTTPDestination.setHeaders(AbstractHTTPDestination.java:137)
org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:286)
org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:82)
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:213)
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:150)
org.apache.cxf.transport.servlet.AbstractCXFServlet.invoke(AbstractCXFServlet.java:170)
org.apache.cxf.transport.servlet.AbstractCXFServlet.doPost(AbstractCXFServlet.java:148)
javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
The fix is to change one line in:
org.apache.cxf.transport.http.AbstractHTTPDestination, line 137 (snapshot
2008-01-30)
Change the line from:
String password = authInfo[1];
...to:
String password = (authInfo.length>1?authInfo[1]:"");
> AbstractHTTPDestination not propperly handling zero-length passwords in Basic Authorization header
> --------------------------------------------------------------------------------------------------
>
> Key: CXF-1495
> URL: https://issues.apache.org/jira/browse/CXF-1495
> Project: CXF
> Issue Type: Bug
> Components: Transports
> Environment: Snapshot 30 Jan, 2008
> Reporter: Chris Wolf
> Priority: Minor
>
> When deploying the CXF servlet to a Siteminder-protected web app, Siteminder will modify the Basic Authorization
> header and blank out the password since subsequent requests are already authenticated via the encrypted
> Siteminder cookie. Zero-lenght passwords in the Basic Authorization headers are permitted per RFC-2617:
> http://www.rfc.net/rfc2617.html#p5
> The symptom is the following stace trace:
> ava.lang.ArrayIndexOutOfBoundsException: 1
> org.apache.cxf.transport.http.AbstractHTTPDestination.setHeaders(AbstractHTTPDestination.java:137)
> org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:286)
> org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:82)
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:213)
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:150)
> org.apache.cxf.transport.servlet.AbstractCXFServlet.invoke(AbstractCXFServlet.java:170)
> org.apache.cxf.transport.servlet.AbstractCXFServlet.doPost(AbstractCXFServlet.java:148)
> javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
> javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
> The fix is to change one line in:
> org.apache.cxf.transport.http.AbstractHTTPDestination, line 137 (snapshot
> 2008-01-30)
> Change the line from:
> String password = authInfo[1];
> ...to:
> String password = (authInfo.length>1?authInfo[1]:"");
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.