Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-2308

Digest authentication fails for encoded queries

    XMLWordPrintable

Details

    • Hide

      In WildFly with user admin:admin

      1. Deploy https://github.com/wildfly/quickstart/tree/main/kitchensink
      2. curl -u admin:admin --digest "http://localhost:9990/management/deployment/kitchensink.war?operation=read-content&path=index.html&useStreamAsResponse" - 200 OK
      3. curl -u admin:admin --digest "http://localhost:9990/management/deployment/kitchensink.war?operation=read-content&path=WEB-INF%2Fbeans.xml&useStreamAsResponse" - 400 Bad Request
      Show
      In WildFly with user admin:admin Deploy https://github.com/wildfly/quickstart/tree/main/kitchensink curl -u admin:admin --digest "http://localhost:9990/management/deployment/kitchensink.war?operation=read-content&path=index.html&useStreamAsResponse" - 200 OK curl -u admin:admin --digest "http://localhost:9990/management/deployment/kitchensink.war?operation=read-content&path=WEB-INF%2Fbeans.xml&useStreamAsResponse" - 400 Bad Request

    Description

      An HTTP GET request with encoded query parameters secured by digest authentication fails. 

      The code in https://github.com/wildfly-security/wildfly-elytron/blob/1.x/http/digest/src/main/java/org/wildfly/security/http/digest/DigestAuthenticationMechanism.java#L285 compares the digest URI with the request URI and uses requestURI.getQuery() to append any query parameters. These query parameters are decoded and thus the string comparison fails. 

      Instead, I think the code should use requestURI.getRawQuery() which returns the encoded query parameters. 

      Attachments

        Issue Links

          causes

          Bug - A problem that impairs or prevents the functions of the product. HAL-1770 Content of Deployment is not displayed

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-23570 [GSS](7.4.z) ELY-2308 ELY-2315 - Digest authentication fails for encoded queries

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified
          is related to

          Task - Represents a small unit of work that is not end-user facing. ELY-2315 Digest authentication fails for encoded paths

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              hpehl@redhat.com Harald Pehl
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: