Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-2308

Digest authentication fails for encoded queries

XMLWordPrintable

    • Hide

      In WildFly with user admin:admin

      1. Deploy https://github.com/wildfly/quickstart/tree/main/kitchensink
      2. curl -u admin:admin --digest "http://localhost:9990/management/deployment/kitchensink.war?operation=read-content&path=index.html&useStreamAsResponse" - 200 OK
      3. curl -u admin:admin --digest "http://localhost:9990/management/deployment/kitchensink.war?operation=read-content&path=WEB-INF%2Fbeans.xml&useStreamAsResponse" - 400 Bad Request
      Show
      In WildFly with user admin:admin Deploy https://github.com/wildfly/quickstart/tree/main/kitchensink curl -u admin:admin --digest "http://localhost:9990/management/deployment/kitchensink.war?operation=read-content&path=index.html&useStreamAsResponse" - 200 OK curl -u admin:admin --digest "http://localhost:9990/management/deployment/kitchensink.war?operation=read-content&path=WEB-INF%2Fbeans.xml&useStreamAsResponse" - 400 Bad Request

      An HTTP GET request with encoded query parameters secured by digest authentication fails. 

      The code in https://github.com/wildfly-security/wildfly-elytron/blob/1.x/http/digest/src/main/java/org/wildfly/security/http/digest/DigestAuthenticationMechanism.java#L285 compares the digest URI with the request URI and uses requestURI.getQuery() to append any query parameters. These query parameters are decoded and thus the string comparison fails. 

      Instead, I think the code should use requestURI.getRawQuery() which returns the encoded query parameters. 

            Unassigned Unassigned
            hpehl@redhat.com Harald Pehl
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: