From 6df4dfe47bfece25436c8e1c552dddc36a2a42ef Mon Sep 17 00:00:00 2001 From: Tim Koopman Date: Mon, 27 Aug 2018 10:07:09 +0800 Subject: [PATCH] Reactive HttpBasic Support For Coloned Passwords This makes so that reactive httpBasic supports passwords containing one or more colons. --- .../server/ServerHttpBasicAuthenticationConverter.java | 2 +- .../ServerHttpBasicAuthenticationConverterTests.java | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/web/src/main/java/org/springframework/security/web/server/ServerHttpBasicAuthenticationConverter.java b/web/src/main/java/org/springframework/security/web/server/ServerHttpBasicAuthenticationConverter.java index ded4e7ce78..1881bfe41f 100644 --- a/web/src/main/java/org/springframework/security/web/server/ServerHttpBasicAuthenticationConverter.java +++ b/web/src/main/java/org/springframework/security/web/server/ServerHttpBasicAuthenticationConverter.java @@ -54,7 +54,7 @@ public class ServerHttpBasicAuthenticationConverter implements "" : authorization.substring(BASIC.length(), authorization.length()); byte[] decodedCredentials = base64Decode(credentials); String decodedAuthz = new String(decodedCredentials); - String[] userParts = decodedAuthz.split(":"); + String[] userParts = decodedAuthz.split(":", 2); if (userParts.length != 2) { return Mono.empty(); diff --git a/web/src/test/java/org/springframework/security/web/server/authentication/ServerHttpBasicAuthenticationConverterTests.java b/web/src/test/java/org/springframework/security/web/server/authentication/ServerHttpBasicAuthenticationConverterTests.java index 654eae50f9..10b24a3a06 100644 --- a/web/src/test/java/org/springframework/security/web/server/authentication/ServerHttpBasicAuthenticationConverterTests.java +++ b/web/src/test/java/org/springframework/security/web/server/authentication/ServerHttpBasicAuthenticationConverterTests.java @@ -79,6 +79,15 @@ public class ServerHttpBasicAuthenticationConverterTests { assertThat(authentication.getCredentials()).isEqualTo("password"); } + @Test + public void applyWhenUserPasswordHasColon() { + Mono result = apply(this.request.header(HttpHeaders.AUTHORIZATION, "Basic dXNlcm5hbWU6cGFzczp3b3Jk")); + + UsernamePasswordAuthenticationToken authentication = result.cast(UsernamePasswordAuthenticationToken.class).block(); + assertThat(authentication.getPrincipal()).isEqualTo("user"); + assertThat(authentication.getCredentials()).isEqualTo("pass:word"); + } + @Test public void applyWhenLowercaseSchemeThenAuthentication() { Mono result = apply(this.request.header(HttpHeaders.AUTHORIZATION, "basic dXNlcjpwYXNzd29yZA=="));