After a second look at the String javadoc, the fix might be as easy as
adding a second argument to split():
String[] values = Base64.base64Decode(authentication).split(":", 2);
Martynas
On Wed, Aug 14, 2013 at 5:57 PM, Martynas Jusevičius
<martynas_at_graphity.org> wrote:
> Hey,
>
> I know it's just a sample, but many people might be using code derived
> from it and be potentially exposed to this issue.
>
> https://java.net/projects/jersey/sources/svn/content/trunk/jersey/samples/https-clientserver-grizzly/src/main/java/com/sun/jersey/samples/https_grizzly/auth/SecurityFilter.java
>
> This code doesn't account for that the HTTP Basic password might
> itself contain colons, so there may be more colons in the
> Base64-decoded string than the one separating username and password.
> Currently split(":") is used which is the root of the problem, which
> is the same as here:
> http://stackoverflow.com/questions/3990560/password-with-a-colon-fails-basic-auth
>
> My fix:
>
> authentication = authentication.substring("Basic ".length());
> authentication = Base64.base64Decode(authentication);
> int colonIndex = authentication.indexOf(":");
> if (colonIndex < 0)
> {
> if (log.isDebugEnabled()) log.debug("Invalid syntax for username
> and password");
> throw new MappableContainerException(
> new AuthenticationException("Invalid syntax for username and password", REALM));
> }
>
> String username = authentication.substring(0, colonIndex);
> String password = authentication.substring(colonIndex + 1);
>
> Martynas
> graphityhq.com