[Jersey] Bug in SecurityFilter sample

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: Martynas Jusevi?ius <martynas_at_graphity.org>
Date: Wed, 14 Aug 2013 17:57:49 +0300

Hey,

I know it's just a sample, but many people might be using code derived
from it and be potentially exposed to this issue.

https://java.net/projects/jersey/sources/svn/content/trunk/jersey/samples/https-clientserver-grizzly/src/main/java/com/sun/jersey/samples/https_grizzly/auth/SecurityFilter.java

This code doesn't account for that the HTTP Basic password might
itself contain colons, so there may be more colons in the
Base64-decoded string than the one separating username and password.
Currently split(":") is used which is the root of the problem, which
is the same as here:
http://stackoverflow.com/questions/3990560/password-with-a-colon-fails-basic-auth

My fix:

authentication = authentication.substring("Basic ".length());
authentication = Base64.base64Decode(authentication);
int colonIndex = authentication.indexOf(":");
if (colonIndex < 0)
{
if (log.isDebugEnabled()) log.debug("Invalid syntax for username
and password");
throw new MappableContainerException(
new AuthenticationException("Invalid syntax for username and password", REALM));
}

String username = authentication.substring(0, colonIndex);
String password = authentication.substring(colonIndex + 1);

Martynas
graphityhq.com