Skip to content

OAK-12259: oak-http: fix HTTP Basic credential parsing in OakServlet#2957

Closed
ciechanowiec wants to merge 1 commit into
apache:trunkfrom
ciechanowiec:OAK-12259/OAK-http-basic-auth-parsing
Closed

OAK-12259: oak-http: fix HTTP Basic credential parsing in OakServlet#2957
ciechanowiec wants to merge 1 commit into
apache:trunkfrom
ciechanowiec:OAK-12259/OAK-http-basic-auth-parsing

Conversation

@ciechanowiec

Copy link
Copy Markdown

Fixes OAK-12259.

Split the decoded Authorization header on the first colon only (RFC 7617)
so passwords containing colons are preserved instead of being silently
truncated, and reject missing/malformed headers with a LoginException
(mapped to HTTP 401) instead of throwing an ArrayIndexOutOfBoundsException
(HTTP 500). Adds OakServletTest covering the parsing behaviour.
Comment on lines +76 to +88
private static void assertUnauthorized(String authorization)
throws Exception {
ContentRepository repository = mock(ContentRepository.class);
HttpServletRequest request = mock(HttpServletRequest.class);
when(request.getHeader("Authorization")).thenReturn(authorization);
HttpServletResponse response = mock(HttpServletResponse.class);

new OakServlet(repository).service(request, response);

verify(response).setHeader("WWW-Authenticate", "Basic realm=\"Oak\"");
verify(response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
verify(repository, never()).login(any(), any());
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nits : Move the helper method to the end of Test file.

if (colon < 0) {
throw new LoginException("Malformed Basic credentials: missing ':' separator");
}
String userId = decoded.substring(0, colon);

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we explicitly check for whether the username has a : or not, and throw an exception if it has ?

cc @anchela @Amoratinos @reschke

@rishabhdaim

Copy link
Copy Markdown
Contributor

If we are indeed following https://www.rfc-editor.org/info/rfc7617/, we should document that.

@Amoratinos @anchela wdyt ?

@reschke

reschke commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

While at it, we should also handle the whitespace after "Basic" correctly (https://www.greenbytes.de/tech/specs/rfc7235.html#challenge.and.response), case sensitivity, decoding non-ASCII, invalid username/passwords.

For obvious reasons, I'll take this.

@reschke reschke self-assigned this Jun 15, 2026
@reschke reschke self-requested a review June 15, 2026 11:53

@reschke reschke left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While at it, we should also handle the whitespace after "Basic" correctly (https://www.greenbytes.de/tech/specs/rfc7235.html#challenge.and.response), case sensitivity, decoding non-ASCII, invalid username/passwords.

For obvious reasons, I'll take this.

@reschke

reschke commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

@ciechanowiec - idea:

  1. Refactor basic auth support into until class so it's easier to test
  2. Write tests (as mentioned above), of which many will be failing right now
  3. Fix bugs.

Do you want to give that a try, or should I take over (of course acking you)?

@ciechanowiec

Copy link
Copy Markdown
Author

@reschke , feel free to take over. I doubt I'll have the time/capacity to work on this issue in the foreseeable future.

@reschke reschke closed this Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants