SEC-506: Fix as suggested by reporter. Split the disgest header string ignoring separating commas which occur between quotes.

core/src/main/java/org/acegisecurity/ui/digestauth/DigestProcessingFilter.java

@@ -105,7 +105,8 @@ public class DigestProcessingFilter implements Filter, InitializingBean, Message
         Assert.notNull(authenticationEntryPoint, "A DigestProcessingFilterEntryPoint is required");
     }
 
-    public void destroy() {}
+    public void destroy() {
+    }
 
     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
             throws IOException, ServletException {
@@ -128,7 +129,7 @@ public class DigestProcessingFilter implements Filter, InitializingBean, Message
         if ((header != null) && header.startsWith("Digest ")) {
             String section212response = header.substring(7);
 
-            String[] headerEntries = StringUtils.commaDelimitedListToStringArray(section212response);
+            String[] headerEntries = StringSplitUtils.splitIgnoringQuotes(section212response, ',');
             Map headerMap = StringSplitUtils.splitEachArrayElementAndCreateMap(headerEntries, "=", "\"");
 
             String username = (String) headerMap.get("username");
@@ -361,9 +362,7 @@ public class DigestProcessingFilter implements Filter, InitializingBean, Message
      * @param nonce                  the nonce supplied by the server
      * @param nc                     the "nonce-count" as defined in RFC 2617.
      * @param cnonce                 opaque string supplied by the client when qop is set.
-     *
      * @return the MD5 of the digest authentication response, encoded in hex
-     *
      * @throws IllegalArgumentException if the supplied qop value is unsupported.
      */
     public static String generateDigest(boolean passwordAlreadyEncoded, String username, String realm, String password,
@@ -408,7 +407,8 @@ public class DigestProcessingFilter implements Filter, InitializingBean, Message
         return userDetailsService;
     }
 
-    public void init(FilterConfig ignored) throws ServletException {}
+    public void init(FilterConfig ignored) throws ServletException {
+    }
 
     public void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource) {
         Assert.notNull(authenticationDetailsSource, "AuthenticationDetailsSource required");

core/src/main/java/org/acegisecurity/util/StringSplitUtils.java

@@ -20,6 +20,8 @@ import org.springframework.util.StringUtils;
 
 import java.util.HashMap;
 import java.util.Map;
+import java.util.ArrayList;
+import java.util.List;
 
 
 /**
@@ -29,6 +31,9 @@ import java.util.Map;
  * @version $Id$
  */
 public final class StringSplitUtils {
+    //~ Static fields/initializers =====================================================================================
+    private static final String[] EMPTY_STRING_ARRAY = new String[0];
+
     //~ Constructors ===================================================================================================
 
     private StringSplitUtils() {
@@ -42,10 +47,8 @@ public final class StringSplitUtils {
      *
      * @param toSplit   the string to split
      * @param delimiter to split the string up with
-     *
      * @return a two element array with index 0 being before the delimiter, and index 1 being after the delimiter
      *         (neither element includes the delimiter)
-     *
      * @throws IllegalArgumentException if an argument was invalid
      */
     public static String[] split(String toSplit, String delimiter) {
@@ -78,7 +81,6 @@ public final class StringSplitUtils {
      * @param delimiter        to split each element using (typically the equals symbol)
      * @param removeCharacters one or more characters to remove from each element prior to attempting the split
      *                         operation (typically the quotation mark symbol) or <code>null</code> if no removal should occur
-     *
      * @return a <code>Map</code> representing the array contents, or <code>null</code> if the array to process was
      *         null or empty
      */
@@ -135,4 +137,58 @@ public final class StringSplitUtils {
         return str.substring(pos + separator.length());
     }
 
+    /**
+     * Splits a given string on the given separator character, skips the contents of quoted substrings
+     * when looking for separators.
+     * Introduced for use in DigestProcessingFilter (see SEC-506).
+     * <p/>
+     * This was copied and modified from commons-lang StringUtils
+     */
+    public static String[] splitIgnoringQuotes(String str, char separatorChar) {
+        if (str == null) {
+            return null;
+        }
+
+        int len = str.length();
+
+        if (len == 0) {
+            return EMPTY_STRING_ARRAY;
+        }
+
+        List list = new ArrayList();
+        int i = 0;
+        int start = 0;
+        boolean match = false;
+
+        while (i < len) {
+            if (str.charAt(i) == '"') {
+                i++;
+                while (i < len) {
+                    if (str.charAt(i) == '"') {
+                        i++;
+                        break;
+                    }
+                    i++;
+                }
+                match = true;
+                continue;
+            }
+            if (str.charAt(i) == separatorChar) {
+                if (match) {
+                    list.add(str.substring(start, i));
+                    match = false;
+                }
+                start = ++i;
+                continue;
+            }
+            match = true;
+            i++;
+        }
+        if (match) {
+            list.add(str.substring(start, i));
+        }
+
+        return (String[]) list.toArray(new String[list.size()]);
+    }
+
 }

core/src/test/java/org/acegisecurity/ui/digestauth/DigestProcessingFilterTests.java

@@ -62,14 +62,16 @@ public class DigestProcessingFilterTests extends MockObjectTestCase {
 
     private static final String NC = "00000002";
     private static final String CNONCE = "c822c727a648aba7";
-    private static final String REALM = "The Correct Realm Name";
+    private static final String REALM = "The Actual, Correct Realm Name";
     private static final String KEY = "acegi";
     private static final String QOP = "auth";
-    private static final String USERNAME = "marissa";
+    private static final String USERNAME = "marissa,ok";
     private static final String PASSWORD = "koala";
     private static final String REQUEST_URI = "/some_file.html";
 
-    /** A standard valid nonce with a validity period of 60 seconds */
+    /**
+     * A standard valid nonce with a validity period of 60 seconds
+     */
     private static final String NONCE = generateNonce(60);
 
     //~ Instance fields ================================================================================================
@@ -80,7 +82,8 @@ public class DigestProcessingFilterTests extends MockObjectTestCase {
 
     //~ Constructors ===================================================================================================
 
-    public DigestProcessingFilterTests() {}
+    public DigestProcessingFilterTests() {
+    }
 
     public DigestProcessingFilterTests(String arg0) {
         super(arg0);
@@ -118,10 +121,6 @@ public class DigestProcessingFilterTests extends MockObjectTestCase {
         return new String(Base64.encodeBase64(nonceValue.getBytes()));
     }
 
-    public static void main(String[] args) {
-        junit.textui.TestRunner.run(DigestProcessingFilterTests.class);
-    }
-
     protected void setUp() throws Exception {
         super.setUp();
         SecurityContextHolder.clearContext();
@@ -129,7 +128,7 @@ public class DigestProcessingFilterTests extends MockObjectTestCase {
         // Create User Details Service
         InMemoryDaoImpl dao = new InMemoryDaoImpl();
         UserMapEditor editor = new UserMapEditor();
-        editor.setAsText("marissa=koala,ROLE_ONE,ROLE_TWO,enabled\r\n");
+        editor.setAsText("marissa,ok=koala,ROLE_ONE,ROLE_TWO,enabled\r\n");
         dao.setUserMap((UserMap) editor.getValue());
 
         DigestProcessingFilterEntryPoint ep = new DigestProcessingFilterEntryPoint();

core/src/test/java/org/acegisecurity/util/StringSplitUtilsTests.java

@@ -32,6 +32,7 @@ public class StringSplitUtilsTests extends TestCase {
     //~ Constructors ===================================================================================================
 
     // ===========================================================
+
     public StringSplitUtilsTests() {
         super();
     }
@@ -43,6 +44,7 @@ public class StringSplitUtilsTests extends TestCase {
     //~ Methods ========================================================================================================
 
     // ================================================================
+
     public static void main(String[] args) {
         junit.textui.TestRunner.run(StringSplitUtilsTests.class);
     }
@@ -137,4 +139,14 @@ public class StringSplitUtilsTests extends TestCase {
         // only guarantees to split at FIRST delimiter, not EACH delimiter
         assertEquals(2, StringSplitUtils.split("18|marissa|foo|bar", "|").length);
     }
+
+
+    public void testAuthorizationHeaderWithCommasIsSplitCorrectly() {
+        String header = "Digest username=\"hamilton,bob\", realm=\"bobs,ok,realm\", nonce=\"the,nonce\", " +
+                "uri=\"the,Uri\", response=\"the,response,Digest\", qop=theqop, nc=thenc, cnonce=\"the,cnonce\"";
+
+        String[] parts = StringSplitUtils.splitIgnoringQuotes(header, ',');
+
+        assertEquals(8, parts.length);
+    }
 }