Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-1040

Digest authentication mechanism unable to parse headers where username terminated with trailing '\'

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 2.0.0.CR9
    • 2.0.0.CR5
    • Management, Security
    • None
    • Hide

      1. Create users.properties file with content:

      backslash\\=password
backslash\\inthemiddle=password

      2. Add following security realm to standalone.xml (set path to users.properties file instead of PATH_TO_USERS_PROPERTIES):

      <security-realm name="delimiters-test">
    <authentication>
        <properties path="PATH_TO_USERS_PROPERTIES" plain-text="true"/>
    </authentication>
</security-realm>

      3. Set "delimiters-test" security realm for http-interface:

      <http-interface security-realm="delimiters-test" http-upgrade-enabled="true">

      4. Start server and access page http://localhost:9990/management?operation=attribute&name=server-state

      Username: backslash\inthemiddle
      Password: password
      -> work fine, page with text "running" is displayed

      Username: backslash\
      Password: password
      -> does not work, 401 HTTP status code is returned

      Show
      1. Create users.properties file with content: backslash\\=password backslash\\inthemiddle=password 2. Add following security realm to standalone.xml (set path to users.properties file instead of PATH_TO_USERS_PROPERTIES): <security-realm name= "delimiters-test" > <authentication> <properties path= "PATH_TO_USERS_PROPERTIES" plain-text= "true" /> </authentication> </security-realm> 3. Set "delimiters-test" security realm for http-interface: <http-interface security-realm= "delimiters-test" http-upgrade-enabled= "true" > 4. Start server and access page http://localhost:9990/management?operation=attribute&name=server-state Username: backslash\inthemiddle Password: password -> work fine, page with text "running" is displayed Username: backslash\ Password: password -> does not work, 401 HTTP status code is returned

      In case when username finish with backslash then properties authentication in security realm does not work. It works correctly when backslash is used in the middle of username.

      Following expection is thrown:

      java.lang.IllegalArgumentException: UT000025: Unexpected token 'delimiters-test", nonce' within header.
	at io.undertow.util.HeaderTokenParser.parseHeader(HeaderTokenParser.java:68)
	at io.undertow.security.impl.DigestAuthorizationToken.parseHeader(DigestAuthorizationToken.java:79)
	at io.undertow.security.impl.DigestAuthenticationMechanism.authenticate(DigestAuthenticationMechanism.java:156)
	at org.jboss.as.domain.http.server.security.AuthenticationMechanismWrapper.authenticate(AuthenticationMechanismWrapper.java:52)
	at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
	at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
	at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
	at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
	at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
	at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
	at io.undertow.security.handlers.AuthenticationCallHandler.handleRequest(AuthenticationCallHandler.java:50)
	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:198)
	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:784)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)

              darran.lofthouse@redhat.com Darran Lofthouse
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: