Fix exception for empty basic auth header token

fixes spring-projectsgh-7976
This commit is contained in:
Zeeshan Adnan 2020-03-13 02:32:19 +06:00 committed by Eleftheria Stein
parent 75f22285c6
commit a49a325db2
3 changed files with 28 additions and 0 deletions

View File

@ -87,6 +87,10 @@ public class BasicAuthenticationConverter implements AuthenticationConverter {
return null; return null;
} }
if (header.equalsIgnoreCase(AUTHENTICATION_SCHEME_BASIC)) {
throw new BadCredentialsException("Empty basic authentication token");
}
byte[] base64Token = header.substring(6).getBytes(StandardCharsets.UTF_8); byte[] base64Token = header.substring(6).getBytes(StandardCharsets.UTF_8);
byte[] decoded; byte[] decoded;
try { try {

View File

@ -111,4 +111,12 @@ public class BasicAuthenticationConverterTests {
assertThat(authentication.getName()).isEqualTo("rod"); assertThat(authentication.getName()).isEqualTo("rod");
assertThat(authentication.getCredentials()).isEqualTo(""); assertThat(authentication.getCredentials()).isEqualTo("");
} }
@Test(expected = BadCredentialsException.class)
public void requestWhenEmptyBasicAuthorizationHeaderTokenThenError() {
MockHttpServletRequest request = new MockHttpServletRequest();
request.addHeader("Authorization", "Basic ");
converter.convert(request);
}
} }

View File

@ -424,4 +424,20 @@ public class BasicAuthenticationFilterTests {
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNull(); assertThat(SecurityContextHolder.getContext().getAuthentication()).isNull();
} }
@Test
public void requestWhenEmptyBasicAuthorizationHeaderTokenThenUnauthorized() throws Exception {
MockHttpServletRequest request = new MockHttpServletRequest();
request.addHeader("Authorization", "Basic ");
request.setServletPath("/some_file.html");
request.setSession(new MockHttpSession());
final MockHttpServletResponse response = new MockHttpServletResponse();
FilterChain chain = mock(FilterChain.class);
filter.doFilter(request, response, chain);
verify(chain, never()).doFilter(any(ServletRequest.class),
any(ServletResponse.class));
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNull();
assertThat(response.getStatus()).isEqualTo(401);
}
} }