Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

BasicAuthenticationFilter case insenstive 

Fixes: gh-5586
This commit is contained in:
Rob Winch 2018-07-31 09:00:34 -05:00
parent 2cd2bab818
commit e3d4d66917
2 changed files with 21 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationFilter.java
View File

@ -154,7 +154,7 @@ public class BasicAuthenticationFilter extends OncePerRequestFilter {
String header = request.getHeader("Authorization");
if (header == null || !header.startsWith("Basic ")) {
if (header == null || !header.toLowerCase().startsWith("basic ")) {
chain.doFilter(request, response);
return;
}

20
web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationFilterTests.java
View File

@ -156,6 +156,26 @@ public class BasicAuthenticationFilterTests {
.isEqualTo("rod");
}
// gh-5586
@Test
public void doFilterWhenSchemeLowercaseThenCaseInsensitveMatchWorks() throws Exception {
String token = "rod:koala";
MockHttpServletRequest request = new MockHttpServletRequest();
request.addHeader("Authorization",
"basic " + new String(Base64.encodeBase64(token.getBytes())));
request.setServletPath("/some_file.html");
// Test
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNull();
FilterChain chain = mock(FilterChain.class);
filter.doFilter(request, new MockHttpServletResponse(), chain);
verify(chain).doFilter(any(ServletRequest.class), any(ServletResponse.class));
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull();
assertThat(SecurityContextHolder.getContext().getAuthentication().getName())
.isEqualTo("rod");
}
@Test
public void testOtherAuthorizationSchemeIsIgnored() throws Exception {