Inicio Explorar Axuda
Rexistro Iniciar sesión
github
/
spring-security
réplica de https://github.com/spring-projects/spring-security
2
0
Fork 0
Ficheiros Incidencias 0 Wiki
Explorar o código

Fix exception for empty basic auth header token
fixes spring-projectsgh-7976

Zeeshan Adnan %!s(int64=5) %!d(string=hai) anos
pai
75f22285c6
achega
a49a325db2
Modificáronse 3 ficheiros con 28 adicións e 0 borrados
Dividir vista Mostrar estatísticas de Diff
  1. 4 0
      web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationConverter.java
  2. 8 0
      web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationConverterTests.java
  3. 16 0
      web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationFilterTests.java

+ 4 - 0
web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationConverter.java
Ver ficheiro 

@@ -87,6 +87,10 @@ public class BasicAuthenticationConverter implements AuthenticationConverter {
 
 			return null;
 
 		}
 
 
+		if (header.equalsIgnoreCase(AUTHENTICATION_SCHEME_BASIC)) {
 
+			throw new BadCredentialsException("Empty basic authentication token");
 
+		}
 
+
 
 		byte[] base64Token = header.substring(6).getBytes(StandardCharsets.UTF_8);
 
 		byte[] decoded;
 
 		try {

+ 8 - 0
web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationConverterTests.java
Ver ficheiro 

@@ -111,4 +111,12 @@ public class BasicAuthenticationConverterTests {
 
 		assertThat(authentication.getName()).isEqualTo("rod");
 
 		assertThat(authentication.getCredentials()).isEqualTo("");
 
 	}
 
+
 
+	@Test(expected = BadCredentialsException.class)
 
+	public void requestWhenEmptyBasicAuthorizationHeaderTokenThenError() {
 
+		MockHttpServletRequest request = new MockHttpServletRequest();
 
+		request.addHeader("Authorization", "Basic ");
 
+		converter.convert(request);
 
+	}
 
+
 
 }

+ 16 - 0
web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationFilterTests.java
Ver ficheiro 

@@ -424,4 +424,20 @@ public class BasicAuthenticationFilterTests {
 
 		assertThat(SecurityContextHolder.getContext().getAuthentication()).isNull();
 
 	}
 
 
+	@Test
 
+	public void requestWhenEmptyBasicAuthorizationHeaderTokenThenUnauthorized() throws Exception {
 
+		MockHttpServletRequest request = new MockHttpServletRequest();
 
+		request.addHeader("Authorization", "Basic ");
 
+		request.setServletPath("/some_file.html");
 
+		request.setSession(new MockHttpSession());
 
+		final MockHttpServletResponse response = new MockHttpServletResponse();
 
+
 
+		FilterChain chain = mock(FilterChain.class);
 
+		filter.doFilter(request, response, chain);
 
+		verify(chain, never()).doFilter(any(ServletRequest.class),
 
+				any(ServletResponse.class));
 
+		assertThat(SecurityContextHolder.getContext().getAuthentication()).isNull();
 
+		assertThat(response.getStatus()).isEqualTo(401);
 
+	}
 
+
 
 }