Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Reactive HttpBasic Support For Coloned Passwords 

This makes so that reactive httpBasic supports passwords containing
one or more colons.
This commit is contained in:
Tim Koopman 2018-08-27 10:07:09 +08:00 committed by Josh Cummings
parent 9e0f171d47
commit 6df4dfe47b
No known key found for this signature in database
GPG Key ID: 49EF60DD7FF83443
2 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
web/src/main/java/org/springframework/security/web/server/ServerHttpBasicAuthenticationConverter.java
View File

@ -54,7 +54,7 @@ public class ServerHttpBasicAuthenticationConverter implements
"" : authorization.substring(BASIC.length(), authorization.length());
byte[] decodedCredentials = base64Decode(credentials);
String decodedAuthz = new String(decodedCredentials);
String[] userParts = decodedAuthz.split(":");
String[] userParts = decodedAuthz.split(":", 2);
if (userParts.length != 2) {
return Mono.empty();

9
web/src/test/java/org/springframework/security/web/server/authentication/ServerHttpBasicAuthenticationConverterTests.java
View File

@ -79,6 +79,15 @@ public class ServerHttpBasicAuthenticationConverterTests {
assertThat(authentication.getCredentials()).isEqualTo("password");
}
@Test
public void applyWhenUserPasswordHasColon() {
Mono<Authentication> result = apply(this.request.header(HttpHeaders.AUTHORIZATION, "Basic dXNlcm5hbWU6cGFzczp3b3Jk"));
UsernamePasswordAuthenticationToken authentication = result.cast(UsernamePasswordAuthenticationToken.class).block();
assertThat(authentication.getPrincipal()).isEqualTo("user");
assertThat(authentication.getCredentials()).isEqualTo("pass:word");
}
@Test
public void applyWhenLowercaseSchemeThenAuthentication() {
Mono<Authentication> result = apply(this.request.header(HttpHeaders.AUTHORIZATION, "basic dXNlcjpwYXNzd29yZA=="));