Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Make basic authentication scheme case-insensitive 

Fixes: gh-7163
This commit is contained in:
Eleftheria Stein 2019-07-29 16:30:03 -04:00
parent 8e6e975e86
commit b55322b2cb
3 changed files with 32 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationConverter.java
View File

@ -30,6 +30,7 @@ import org.springframework.security.authentication.UsernamePasswordAuthenticatio
import org.springframework.security.web.authentication.AuthenticationConverter;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
/**
* Converts from a HttpServletRequest to
@ -83,7 +84,7 @@ public class BasicAuthenticationConverter implements AuthenticationConverter {
}
header = header.trim();
if (!header.startsWith(AUTHENTICATION_SCHEME_BASIC) && !header.startsWith(AUTHENTICATION_SCHEME_BASIC.toLowerCase())) {
if (!StringUtils.startsWithIgnoreCase(header, AUTHENTICATION_SCHEME_BASIC)) {
return null;
}

12
web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationConverterTests.java
View File

@ -61,6 +61,18 @@ public class BasicAuthenticationConverterTests {
assertThat(authentication.getName()).isEqualTo("rod");
}
@Test
public void requestWhenAuthorizationSchemeInMixedCaseThenAuthenticates() {
String token = "rod:koala";
MockHttpServletRequest request = new MockHttpServletRequest();
request.addHeader("Authorization", "BaSiC " + new String(Base64.encodeBase64(token.getBytes())));
UsernamePasswordAuthenticationToken authentication = converter.convert(request);
verify(authenticationDetailsSource).buildDetails(any());
assertThat(authentication).isNotNull();
assertThat(authentication.getName()).isEqualTo("rod");
}
@Test
public void testWhenUnsupportedAuthorizationHeaderThenIgnored() throws Exception {
MockHttpServletRequest request = new MockHttpServletRequest();

18
web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationFilterTests.java
View File

@ -176,6 +176,24 @@ public class BasicAuthenticationFilterTests {
.isEqualTo("rod");
}
@Test
public void doFilterWhenSchemeMixedCaseThenCaseInsensitiveMatchWorks() throws Exception {
String token = "rod:koala";
MockHttpServletRequest request = new MockHttpServletRequest();
request.addHeader("Authorization",
"BaSiC " + new String(Base64.encodeBase64(token.getBytes())));
request.setServletPath("/some_file.html");
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNull();
FilterChain chain = mock(FilterChain.class);
filter.doFilter(request, new MockHttpServletResponse(), chain);
verify(chain).doFilter(any(ServletRequest.class), any(ServletResponse.class));
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull();
assertThat(SecurityContextHolder.getContext().getAuthentication().getName())
.isEqualTo("rod");
}
@Test
public void testOtherAuthorizationSchemeIsIgnored() throws Exception {