Loading...

XML

Word

Printable

Steps to Reproduce:
Hide

In WildFly with user admin:admin

Deploy https://github.com/wildfly/quickstart/tree/main/kitchensink

curl -u admin:admin --digest "http://localhost:9990/management/deployment/kitchensink.war?operation=read-content&path=index.html&useStreamAsResponse" - 200 OK

curl -u admin:admin --digest "http://localhost:9990/management/deployment/kitchensink.war?operation=read-content&path=WEB-INF%2Fbeans.xml&useStreamAsResponse" - 400 Bad Request
Show
In WildFly with user admin:admin Deploy https://github.com/wildfly/quickstart/tree/main/kitchensink curl -u admin:admin --digest "http://localhost:9990/management/deployment/kitchensink.war?operation=read-content&path=index.html&useStreamAsResponse" - 200 OK curl -u admin:admin --digest "http://localhost:9990/management/deployment/kitchensink.war?operation=read-content&path=WEB-INF%2Fbeans.xml&useStreamAsResponse" - 400 Bad Request
Git Pull Request:
https://github.com/wildfly-security/wildfly-elytron/pull/1675

An HTTP GET request with encoded query parameters secured by digest authentication fails.

The code in https://github.com/wildfly-security/wildfly-elytron/blob/1.x/http/digest/src/main/java/org/wildfly/security/http/digest/DigestAuthenticationMechanism.java#L285 compares the digest URI with the request URI and uses requestURI.getQuery() to append any query parameters. These query parameters are decoded and thus the string comparison fails.

Instead, I think the code should use requestURI.getRawQuery() which returns the encoded query parameters.

causes

HAL-1770 Content of Deployment is not displayed

is cloned by

JBEAP-23570 [GSS](7.4.z) ELY-2308 ELY-2315 - Digest authentication fails for encoded queries

is related to

ELY-2315 Digest authentication fails for encoded paths