You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by "Wolf, Chris (IT)" <Ch...@morganstanley.com> on 2008/03/31 22:04:16 UTC

RE: Error inAbstractHTTPDestination.setHeaders,AbstractHTTPDestination.setHeaders

Sorry for the delay on this, but I'm pretty certain that CXF has a bug.

I discovered that Siteminder does indeed blank out the password in the 
Basic "Authorization" header, once the user is authenticated via
Sitemeinder,  
for security purposes, however there is *still* a colon character,
therefore 
this fulfills the RFC-2617 spec, which allows for a zero-length
password.  I quote the BNF from the spec:
http://www.rfc.net/rfc2617.html#p5
 
   To receive authorization, the client sends the userid and password,
   separated by a single colon (":") character, within a base64 [7]
   encoded string in the credentials.

      basic-credentials = base64-user-pass
      base64-user-pass  = <base64 [4] encoding of user-pass,
                       except not limited to 76 char/line>
      user-pass   = userid ":" password
      userid      = *<TEXT excluding ":">
      password    = *TEXT


As you can see, zero-length passwords are permitted.  The fix is a
one-liner,
in org.apache.cxf.transport.http.AbstractHTTPDestination, line 137
(snapshot
2008-01-30)

Change the line from:
String password = authInfo[1];

...to:

String password = (authInfo.length>1?authInfo[1]:"");


I took the liberty of creating a Jira entry for this bug:

https://issues.apache.org/jira/browse/CXF-1495

Thanks,

  -Chris Wolf



-----Original Message-----
From: Glen Mazza [mailto:glen.mazza@verizon.net] 
Sent: Friday, March 21, 2008 8:43 PM
To: cxf-user@incubator.apache.org
Subject: RE: Error
inAbstractHTTPDestination.setHeaders,AbstractHTTPDestination.setHeaders

I've been looking at our Basic Authentication recently--the error
messages have been cryptic in many cases, not providing acceptable
feedback.  

In your case below, we should have a precise error message about an
invalid format in the Authorization header field--not just an NPE of
course.  If you could submit a JIRA for this it would be appreciated,
else I'll try to remember.

I don't think we should make an exception for Siteminder though, because
that might open up a security hole.  Also, Section two of RFC 2617[1]
states:  "To receive authorization, the client sends the userid and
password, separated by a single colon (":") character, within a base64
[7] encoded string in the credentials."  Apparently both username and
password are always needed.  I don't know Siteminder but I would think
they would have an option to always supply a password in order to be RFC
2617 compliant.  If not, please let them know about it.

Thanks,
Glen


[1] http://www.faqs.org/rfcs/rfc2617.html

Am Freitag, den 21.03.2008, 11:30 -0400 schrieb Wolf, Chris (IT):
> Glen,
> 
> Thanks again for your help.  I downloaded the source and looked at it 
> before going through the laborious task of setting up for remote 
> debugging.
> 
> I can see the the issue is the code in AbstractHTTPDestination always 
> assumes the value of the "Authorization" header will always be a 
> base64 encoded "username:password" value -- in my case, we use 
> Siteminder authentication, so sometimes the value of the 
> "Authorization" header is just the base64 encoded username -- without 
> a colon and password, i.e. no ":passw", which exactly explains this 
> array index out of bounds exception.
> 
> The workaround is, I'm going to tell my users to log out of Siteminder

> and re-authenticate, such that the "Authorization" header always has 
> both pieces in the value.
> 
> I would like to present a patch for the case where the "Authorization"

> header value does not contain a colon character, even for "Basic"
> type of authentication, but I'm not sure special accomodation would be

> made for Siteminder, unelss the RFC for Basic authentication says the 
> "Authorization" header may contain just an encoded username in certain

> circumstances.
> 
>  
>     -Chris
> 
> -----Original Message-----
> From: Glen Mazza [mailto:glen.mazza@verizon.net]
> Sent: Friday, March 21, 2008 7:12 AM
> To: cxf-user@incubator.apache.org
> Subject: Re: Error in
> AbstractHTTPDestination.setHeaders,AbstractHTTPDestination.setHeaders
> 
> Am Freitag, den 21.03.2008, 01:27 -0400 schrieb Wolf, Chris (IT):
> > If I run my service inside a Tomcat-5.5 runtime configured in 
> > Eclipse-3.2, all works fine.
> > I run the very same code, deployed on Tomcat-5.5 on Linux, I get 
> > this error.
> > If anyone can suggest something short of debuggin the CXF source, 
> > that
> 
> > would be great.  I am using 2.0.4.
> > 
> 
> If nobody else can answer your question, time to debug the CXF source:
> 
> http://www.jroller.com/gmazza/date/20071212
> 
> Step #5 would probably be most important for you.
> 
> Glen
> --------------------------------------------------------
> 
> NOTICE: If received in error, please destroy and notify sender. Sender
does not intend to waive confidentiality or privilege. Use of this email
is prohibited when received in error.
--------------------------------------------------------

NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.