From b7b567d86d0f297b3e38a166ac738f1fd84df474 Mon Sep 17 00:00:00 2001 From: Greg Wilkins Date: Tue, 20 Sep 2011 17:16:58 +1000 Subject: [PATCH] 353627 Basic Auth checks that Basic method has been send --- .../jetty/embedded/SecuredHelloHandler.java | 3 +- .../authentication/BasicAuthenticator.java | 32 ++++++++++++------- .../authentication/DigestAuthenticator.java | 2 +- .../jetty/security/ConstraintTest.java | 30 ++++++++--------- 4 files changed, 37 insertions(+), 30 deletions(-) diff --git a/example-jetty-embedded/src/main/java/org/eclipse/jetty/embedded/SecuredHelloHandler.java b/example-jetty-embedded/src/main/java/org/eclipse/jetty/embedded/SecuredHelloHandler.java index 5d2547e3f1b..33c00e7a69b 100644 --- a/example-jetty-embedded/src/main/java/org/eclipse/jetty/embedded/SecuredHelloHandler.java +++ b/example-jetty-embedded/src/main/java/org/eclipse/jetty/embedded/SecuredHelloHandler.java @@ -23,7 +23,6 @@ import org.eclipse.jetty.security.ConstraintSecurityHandler; import org.eclipse.jetty.security.HashLoginService; import org.eclipse.jetty.security.LoginService; import org.eclipse.jetty.security.authentication.BasicAuthenticator; -import org.eclipse.jetty.security.authentication.DigestAuthenticator; import org.eclipse.jetty.server.Server; public class SecuredHelloHandler @@ -52,7 +51,7 @@ public class SecuredHelloHandler knownRoles.add("admin"); security.setConstraintMappings(Collections.singletonList(mapping), knownRoles); - security.setAuthenticator(new DigestAuthenticator()); + security.setAuthenticator(new BasicAuthenticator()); security.setLoginService(loginService); security.setStrict(false); diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java index e680644609f..372f9b63ea0 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/BasicAuthenticator.java @@ -65,20 +65,28 @@ public class BasicAuthenticator extends LoginAuthenticator return _deferred; if (credentials != null) - { - credentials = credentials.substring(credentials.indexOf(' ')+1); - credentials = B64Code.decode(credentials,StringUtil.__ISO_8859_1); - int i = credentials.indexOf(':'); - if (i>0) + { + int space=credentials.indexOf(' '); + if (space>0) { - String username = credentials.substring(0,i); - String password = credentials.substring(i+1); - - UserIdentity user = _loginService.login(username,password); - if (user!=null) + String method=credentials.substring(0,space); + if ("basic".equalsIgnoreCase(method)) { - renewSessionOnAuthentication(request,response); - return new UserAuthentication(getAuthMethod(),user); + credentials = credentials.substring(space+1); + credentials = B64Code.decode(credentials,StringUtil.__ISO_8859_1); + int i = credentials.indexOf(':'); + if (i>0) + { + String username = credentials.substring(0,i); + String password = credentials.substring(i+1); + + UserIdentity user = _loginService.login(username,password); + if (user!=null) + { + renewSessionOnAuthentication(request,response); + return new UserAuthentication(getAuthMethod(),user); + } + } } } } diff --git a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java index ee9f5625aeb..ac4ebe2ea30 100644 --- a/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java +++ b/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/DigestAuthenticator.java @@ -275,7 +275,7 @@ public class DigestAuthenticator extends LoginAuthenticator private static class Digest extends Credential { private static final long serialVersionUID = -2484639019549527724L; - String method = ""; + final String method; String username = ""; String realm = ""; String nonce = ""; diff --git a/jetty-security/src/test/java/org/eclipse/jetty/security/ConstraintTest.java b/jetty-security/src/test/java/org/eclipse/jetty/security/ConstraintTest.java index 9a40357de9e..19eb3099011 100644 --- a/jetty-security/src/test/java/org/eclipse/jetty/security/ConstraintTest.java +++ b/jetty-security/src/test/java/org/eclipse/jetty/security/ConstraintTest.java @@ -201,13 +201,13 @@ public class ConstraintTest assertTrue(response.indexOf("WWW-Authenticate: basic realm=\"TestRealm\"") > 0); response = _connector.getResponses("GET /ctx/auth/info HTTP/1.0\r\n" + - "Authorization: " + B64Code.encode("user:wrong") + "\r\n" + + "Authorization: Basic " + B64Code.encode("user:wrong") + "\r\n" + "\r\n"); assertTrue(response.startsWith("HTTP/1.1 401 Unauthorized")); assertTrue(response.indexOf("WWW-Authenticate: basic realm=\"TestRealm\"") > 0); response = _connector.getResponses("GET /ctx/auth/info HTTP/1.0\r\n" + - "Authorization: " + B64Code.encode("user:password") + "\r\n" + + "Authorization: Basic " + B64Code.encode("user:password") + "\r\n" + "\r\n"); assertTrue(response.startsWith("HTTP/1.1 200 OK")); @@ -218,20 +218,20 @@ public class ConstraintTest assertTrue(response.indexOf("WWW-Authenticate: basic realm=\"TestRealm\"") > 0); response = _connector.getResponses("GET /ctx/admin/info HTTP/1.0\r\n" + - "Authorization: " + B64Code.encode("admin:wrong") + "\r\n" + + "Authorization: Basic " + B64Code.encode("admin:wrong") + "\r\n" + "\r\n"); assertTrue(response.startsWith("HTTP/1.1 401 Unauthorized")); assertTrue(response.indexOf("WWW-Authenticate: basic realm=\"TestRealm\"") > 0); response = _connector.getResponses("GET /ctx/admin/info HTTP/1.0\r\n" + - "Authorization: " + B64Code.encode("user:password") + "\r\n" + + "Authorization: Basic " + B64Code.encode("user:password") + "\r\n" + "\r\n"); assertTrue(response.startsWith("HTTP/1.1 403 ")); assertTrue(response.indexOf("!role") > 0); response = _connector.getResponses("GET /ctx/admin/info HTTP/1.0\r\n" + - "Authorization: " + B64Code.encode("admin:password") + "\r\n" + + "Authorization: Basic " + B64Code.encode("admin:password") + "\r\n" + "\r\n"); assertTrue(response.startsWith("HTTP/1.1 200 OK")); @@ -490,18 +490,18 @@ public class ConstraintTest assertTrue(response.indexOf("WWW-Authenticate: basic realm=\"TestRealm\"") > 0); response = _connector.getResponses("GET /ctx/auth/info HTTP/1.0\r\n" + - "Authorization: " + B64Code.encode("user:wrong") + "\r\n" + + "Authorization: Basic " + B64Code.encode("user:wrong") + "\r\n" + "\r\n"); assertTrue(response.startsWith("HTTP/1.1 401 Unauthorized")); assertTrue(response.indexOf("WWW-Authenticate: basic realm=\"TestRealm\"") > 0); response = _connector.getResponses("GET /ctx/auth/info HTTP/1.0\r\n" + - "Authorization: " + B64Code.encode("user:password") + "\r\n" + + "Authorization: Basic " + B64Code.encode("user:password") + "\r\n" + "\r\n"); assertTrue(response.startsWith("HTTP/1.1 403")); response = _connector.getResponses("GET /ctx/auth/info HTTP/1.0\r\n" + - "Authorization: " + B64Code.encode("user2:password") + "\r\n" + + "Authorization: Basic " + B64Code.encode("user2:password") + "\r\n" + "\r\n"); assertTrue(response.startsWith("HTTP/1.1 200 OK")); @@ -512,20 +512,20 @@ public class ConstraintTest assertTrue(response.indexOf("WWW-Authenticate: basic realm=\"TestRealm\"") > 0); response = _connector.getResponses("GET /ctx/admin/info HTTP/1.0\r\n" + - "Authorization: " + B64Code.encode("admin:wrong") + "\r\n" + + "Authorization: Basic " + B64Code.encode("admin:wrong") + "\r\n" + "\r\n"); assertTrue(response.startsWith("HTTP/1.1 401 Unauthorized")); assertTrue(response.indexOf("WWW-Authenticate: basic realm=\"TestRealm\"") > 0); response = _connector.getResponses("GET /ctx/admin/info HTTP/1.0\r\n" + - "Authorization: " + B64Code.encode("user:password") + "\r\n" + + "Authorization: Basic " + B64Code.encode("user:password") + "\r\n" + "\r\n"); assertTrue(response.startsWith("HTTP/1.1 403 ")); assertTrue(response.indexOf("!role") > 0); response = _connector.getResponses("GET /ctx/admin/info HTTP/1.0\r\n" + - "Authorization: " + B64Code.encode("admin:password") + "\r\n" + + "Authorization: Basic " + B64Code.encode("admin:password") + "\r\n" + "\r\n"); assertTrue(response.startsWith("HTTP/1.1 200 OK")); @@ -776,7 +776,7 @@ public class ConstraintTest assertTrue(response.startsWith("HTTP/1.1 200 OK")); response = _connector.getResponses("GET /ctx/auth/info HTTP/1.0\r\n" + - "Authorization: " + B64Code.encode("user2:password") + "\r\n" + + "Authorization: Basic " + B64Code.encode("user2:password") + "\r\n" + "\r\n"); assertTrue(response.startsWith("HTTP/1.1 500 ")); @@ -789,7 +789,7 @@ public class ConstraintTest _server.start(); response = _connector.getResponses("GET /ctx/auth/info HTTP/1.0\r\n" + - "Authorization: " + B64Code.encode("user2:password") + "\r\n" + + "Authorization: Basic " + B64Code.encode("user2:password") + "\r\n" + "\r\n"); assertTrue(response.startsWith("HTTP/1.1 200 OK")); } @@ -809,13 +809,13 @@ public class ConstraintTest assertTrue(response.indexOf("user=null") > 0); response = _connector.getResponses("GET /ctx/noauth/info HTTP/1.0\r\n"+ - "Authorization: " + B64Code.encode("admin:wrong") + "\r\n" + + "Authorization: Basic " + B64Code.encode("admin:wrong") + "\r\n" + "\r\n"); assertTrue(response.startsWith("HTTP/1.1 200 OK")); assertTrue(response.indexOf("user=null") > 0); response = _connector.getResponses("GET /ctx/noauth/info HTTP/1.0\r\n"+ - "Authorization: " + B64Code.encode("admin:password") + "\r\n" + + "Authorization: Basic " + B64Code.encode("admin:password") + "\r\n" + "\r\n"); assertTrue(response.startsWith("HTTP/1.1 200 OK")); assertTrue(response.indexOf("user=admin") > 0);