Details
-
Bug
-
Resolution: Done
-
Major
-
3.0.9.Final
-
None
Description
Using the OAuthAuthenticationServerValve as described in http://docs.jboss.org/resteasy/docs/3.0.9.Final/userguide/html/oauth2.html#d4e1516 causes an authentication error when a user's password contains a : character.
This is due to the following code in basicAuth():
String[] creds = BasicAuthHelper.parseHeader(authHeader); [...] String username = creds[0]; String password = creds[1]; GenericPrincipal gp = (GenericPrincipal) context.getRealm().authenticate(username, password);
BasicAuthHelper.parseHeader() just splits the header string by ':' (after base64-decoding). If the user's password contains a ':' character, the returned String array contains more then 2 entries, with the password split across multiple strings. The code fragement above only uses creds[1] as the user's password, thus discarding part of the password sent as HTTP header.
I've observed this in 3.0.9.Final - looking at the code, this appears to be an issue in subsequent releases, too.
Attachments
Issue Links
- is cloned by
-
-
- Closed
-
