Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-1285: minor vulnerability in BasicProcessingFilter. Changed logging of Basic authentication information.

This commit is contained in:
Luke Taylor 2009-11-17 15:29:07 +00:00
parent afdd80235c
commit d84542cf88
1 changed files with 9 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationFilter.java
View File

@ -109,15 +109,12 @@ public class BasicAuthenticationFilter extends GenericFilterBean {
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
final boolean debug = logger.isDebugEnabled();
final HttpServletRequest request = (HttpServletRequest) req;
final HttpServletResponse response = (HttpServletResponse) res;
String header = request.getHeader("Authorization");
if (logger.isDebugEnabled()) {
logger.debug("Authorization header: " + header);
}
if ((header != null) && header.startsWith("Basic ")) {
byte[] base64Token = header.substring(6).getBytes("UTF-8");
String token = new String(Base64.decodeBase64(base64Token), getCredentialsCharset(request));
@ -131,6 +128,10 @@ public class BasicAuthenticationFilter extends GenericFilterBean {
password = token.substring(delim + 1);
}
if (debug) {
logger.debug("Basic Authentication Authorization header found for user '" + username + "'");
}
if (authenticationIsRequired(username)) {
UsernamePasswordAuthenticationToken authRequest =
new UsernamePasswordAuthenticationToken(username, password);
@ -142,7 +143,7 @@ public class BasicAuthenticationFilter extends GenericFilterBean {
authResult = authenticationManager.authenticate(authRequest);
} catch (AuthenticationException failed) {
// Authentication failed
if (logger.isDebugEnabled()) {
if (debug) {
logger.debug("Authentication request for user: " + username + " failed: " + failed.toString());
}
@ -162,7 +163,7 @@ public class BasicAuthenticationFilter extends GenericFilterBean {
}
// Authentication success
if (logger.isDebugEnabled()) {
if (debug) {
logger.debug("Authentication success: " + authResult.toString());
}