Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

DigestAuthenticationFilter decodes nonce only once 

Closes gh-8455
This commit is contained in:
Alexey Markevich 2020-10-10 22:16:10 +03:00 committed by Joe Grandja
parent b51c18b37b
commit 3219fd554d
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
web/src/main/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilter.java
View File

@ -333,8 +333,9 @@ public class DigestAuthenticationFilter extends GenericFilterBean implements Mes
"Response realm name '{0}' does not match system realm name of '{1}'"));
}
// Check nonce was Base64 encoded (as sent by DigestAuthenticationEntryPoint)
final byte[] nonceBytes;
try {
Base64.getDecoder().decode(this.nonce.getBytes());
nonceBytes = Base64.getDecoder().decode(this.nonce.getBytes());
}
catch (IllegalArgumentException ex) {
throw new BadCredentialsException(
@ -343,7 +344,7 @@ public class DigestAuthenticationFilter extends GenericFilterBean implements Mes
}
// Decode nonce from Base64 format of nonce is: base64(expirationTime + ":" +
// md5Hex(expirationTime + ":" + key))
String nonceAsPlainText = new String(Base64.getDecoder().decode(this.nonce.getBytes()));
String nonceAsPlainText = new String(nonceBytes);
String[] nonceTokens = StringUtils.delimitedListToStringArray(nonceAsPlainText, ":");
if (nonceTokens.length != 2) {
throw new BadCredentialsException(DigestAuthenticationFilter.this.messages.getMessage(