Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-4696

OAuth 2.0 AuthenticationServerValve fails for user passwords containing colon character

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 7.0.1.CR1, 7.0.1.GA
    • None
    • REST
    • None
    • EAP 7.0.1

      Using the OAuthAuthenticationServerValve as described in http://docs.jboss.org/resteasy/docs/3.0.9.Final/userguide/html/oauth2.html#d4e1516 causes an authentication error when a user's password contains a : character.

      This is due to the following code in basicAuth():

            String[] creds = BasicAuthHelper.parseHeader(authHeader);
      [...]
            String username = creds[0];
            String password = creds[1];
            GenericPrincipal gp = (GenericPrincipal) context.getRealm().authenticate(username, password);
      

      BasicAuthHelper.parseHeader() just splits the header string by ':' (after base64-decoding). If the user's password contains a ':' character, the returned String array contains more then 2 entries, with the password split across multiple strings. The code fragement above only uses creds[1] as the user's password, thus discarding part of the password sent as HTTP header.

      I've observed this in 3.0.9.Final - looking at the code, this appears to be an issue in subsequent releases, too.

            rsigal@redhat.com Ronald Sigal
            mma_jira Martin Maierhofer (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: