Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-5561

Digest authentication mechanism unable to parse headers where username terminated with trailing '\'

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 10.0.0.CR5
    • 10.0.0.CR3
    • Security
    • None
    • Hide

      1. Create users.properties file with content:

      backslash\\=password
backslash\\inthemiddle=password

      2. Add following security realm to standalone.xml (set path to users.properties file instead of PATH_TO_USERS_PROPERTIES):

      <security-realm name="delimiters-test">
    <authentication>
        <properties path="PATH_TO_USERS_PROPERTIES" plain-text="true"/>
    </authentication>
</security-realm>

      3. Set "delimiters-test" security realm for http-interface:

      <http-interface security-realm="delimiters-test" http-upgrade-enabled="true">

      4. Start server and access page http://localhost:9990/management?operation=attribute&name=server-state

      Username: backslash\inthemiddle
      Password: password
      -> work fine, page with text "running" is displayed

      Username: backslash\
      Password: password
      -> does not work, 401 HTTP status code is returned

      Show
      1. Create users.properties file with content: backslash\\=password backslash\\inthemiddle=password 2. Add following security realm to standalone.xml (set path to users.properties file instead of PATH_TO_USERS_PROPERTIES): <security-realm name= "delimiters-test" > <authentication> <properties path= "PATH_TO_USERS_PROPERTIES" plain-text= "true" /> </authentication> </security-realm> 3. Set "delimiters-test" security realm for http-interface: <http-interface security-realm= "delimiters-test" http-upgrade-enabled= "true" > 4. Start server and access page http://localhost:9990/management?operation=attribute&name=server-state Username: backslash\inthemiddle Password: password -> work fine, page with text "running" is displayed Username: backslash\ Password: password -> does not work, 401 HTTP status code is returned

      In case when username finish with backslash then properties authentication in security realm does not work. It works correctly when backslash is used in the middle of username.

      Following expection is thrown:

      java.lang.IllegalArgumentException: UT000025: Unexpected token 'delimiters-test", nonce' within header.
	at io.undertow.util.HeaderTokenParser.parseHeader(HeaderTokenParser.java:68)
	at io.undertow.security.impl.DigestAuthorizationToken.parseHeader(DigestAuthorizationToken.java:79)
	at io.undertow.security.impl.DigestAuthenticationMechanism.authenticate(DigestAuthenticationMechanism.java:156)
	at org.jboss.as.domain.http.server.security.AuthenticationMechanismWrapper.authenticate(AuthenticationMechanismWrapper.java:52)
	at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
	at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
	at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
	at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
	at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
	at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
	at io.undertow.security.handlers.AuthenticationCallHandler.handleRequest(AuthenticationCallHandler.java:50)
	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:198)
	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:784)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)

            darran.lofthouse@redhat.com Darran Lofthouse
            darran.lofthouse@redhat.com Darran Lofthouse
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: