Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-26 13:53:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

ServerHttpBasicAuthenticationConverter Validates Scheme Name

Browse Source 
Fixes: gh-5414
This commit is contained in:
Rob Winch 2018-07-31 09:05:04 -05:00
parent e3d4d66917
commit 0c26d1b98a
2 changed files with 17 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
web/src/main/java/org/springframework/security/web/server/ServerHttpBasicAuthenticationConverter.java
View File

@ -41,7 +41,7 @@ public class ServerHttpBasicAuthenticationConverter implements Function<ServerWe
ServerHttpRequest request = exchange.getRequest(); ServerHttpRequest request = exchange.getRequest();
String authorization = request.getHeaders().getFirst(HttpHeaders.AUTHORIZATION); String authorization = request.getHeaders().getFirst(HttpHeaders.AUTHORIZATION);
if(authorization == null) { if(authorization == null || !authorization.toLowerCase().startsWith("basic ")) {
return Mono.empty(); return Mono.empty();
} }

16
web/src/test/java/org/springframework/security/web/server/ServerHttpBasicAuthenticationConverterTests.java
View File

@ -79,6 +79,22 @@ public class ServerHttpBasicAuthenticationConverterTests {
assertThat(authentication.getCredentials()).isEqualTo("password"); assertThat(authentication.getCredentials()).isEqualTo("password");
} }
@Test
public void applyWhenLowercaseSchemeThenAuthentication() {
Mono<Authentication> result = apply(this.request.header(HttpHeaders.AUTHORIZATION, "basic dXNlcjpwYXNzd29yZA=="));
UsernamePasswordAuthenticationToken authentication = result.cast(UsernamePasswordAuthenticationToken.class).block();
assertThat(authentication.getPrincipal()).isEqualTo("user");
assertThat(authentication.getCredentials()).isEqualTo("password");
}
@Test
public void applyWhenWrongSchemeThenAuthentication() {
Mono<Authentication> result = apply(this.request.header(HttpHeaders.AUTHORIZATION, "token dXNlcjpwYXNzd29yZA=="));
assertThat(result.block()).isNull();
}
private Mono<Authentication> apply(MockServerHttpRequest.BaseBuilder<?> request) { private Mono<Authentication> apply(MockServerHttpRequest.BaseBuilder<?> request) {
return this.converter.apply(MockServerWebExchange.from(this.request.build())); return this.converter.apply(MockServerWebExchange.from(this.request.build()));
} }