Skip to content

Commit 8234a82

Browse files
committed
Reject BASIC auth with empty user name
1 parent 5593085 commit 8234a82

4 files changed

Lines changed: 8 additions & 3 deletions

File tree

java/org/apache/catalina/authenticator/BasicAuthenticator.java

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -243,6 +243,8 @@ private void parseCredentials(byte[] decoded) throws IllegalArgumentException {
243243
// Null password is not allowed according to RFC 7617
244244
if (colon < 0) {
245245
throw new IllegalArgumentException(sm.getString("basicAuthenticator.noColon"));
246+
} else if (colon == 0) {
247+
throw new IllegalArgumentException(sm.getString("basicAuthenticator.emptyUsername"));
246248
} else {
247249
username = new String(decoded, 0, colon, charset);
248250
password = new String(decoded, colon + 1, decoded.length - colon - 1, charset);

java/org/apache/catalina/authenticator/LocalStrings.properties

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,7 @@ authenticator.unauthorized=Cannot authenticate with the provided credentials
3939
authenticator.userDataPermissionFail=User data does not comply with the constraints of the resource
4040
authenticator.userPermissionFail=User [{0}] does not have authorization to access the resource
4141

42+
basicAuthenticator.emptyUsername=RFC 7613 does not permit empty user names
4243
basicAuthenticator.invalidAuthorization=Invalid Authorization header
4344
basicAuthenticator.invalidCharset=The only permitted values are null, the empty string or UTF-8
4445
basicAuthenticator.noColon=Basic Authorization credentials do not contain a colon

test/org/apache/catalina/authenticator/TestBasicAuthParser.java

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -165,14 +165,12 @@ public void testWrongPassword() throws Exception {
165165
Assert.assertNotSame(PASSWORD, credentials.getPassword());
166166
}
167167

168-
@Test
168+
@Test(expected = IllegalArgumentException.class)
169169
public void testMissingUsername() throws Exception {
170170
final String EMPTY_USER_NAME = "";
171171
final BasicAuthHeader AUTH_HEADER = new BasicAuthHeader(NICE_METHOD, EMPTY_USER_NAME, PASSWORD);
172172
BasicAuthenticator.BasicCredentials credentials =
173173
new BasicAuthenticator.BasicCredentials(AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
174-
Assert.assertEquals(EMPTY_USER_NAME, credentials.getUsername());
175-
Assert.assertEquals(PASSWORD, credentials.getPassword());
176174
}
177175

178176
@Test

webapps/docs/changelog.xml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -221,6 +221,10 @@
221221
Reject BASIC authorization with no password, to comply with RFC 7617
222222
strictly. (remm)
223223
</fix>
224+
<fix>
225+
Reject BASIC authorization with empty user names as required by RFC
226+
7613. (markt)
227+
</fix>
224228
<!-- Entries for backport and removal before 12.0.0-M1 below this line -->
225229
<fix>
226230
Avoid a race condition with concurrent lookups for a singleton JNDI

0 commit comments

Comments
 (0)