[Jersey] Bug in SecurityFilter sample

From: Martynas Jusevi?ius <>
Date: Wed, 14 Aug 2013 17:57:49 +0300


I know it's just a sample, but many people might be using code derived
from it and be potentially exposed to this issue.

This code doesn't account for that the HTTP Basic password might
itself contain colons, so there may be more colons in the
Base64-decoded string than the one separating username and password.
Currently split(":") is used which is the root of the problem, which
is the same as here:

My fix:

authentication = authentication.substring("Basic ".length());
authentication = Base64.base64Decode(authentication);
int colonIndex = authentication.indexOf(":");
if (colonIndex < 0)
   if (log.isDebugEnabled()) log.debug("Invalid syntax for username
and password");
   throw new MappableContainerException(
new AuthenticationException("Invalid syntax for username and password", REALM));

String username = authentication.substring(0, colonIndex);
String password = authentication.substring(colonIndex + 1);