首頁 探索 說明
註冊 登入
github
/
spring-security
镜像来自 https://github.com/spring-projects/spring-security
2
0
複刻 0
Files 問題管理 0 Wiki
瀏覽代碼

Fix exception for empty basic auth header token
fixes spring-projectsgh-7976

Zeeshan Adnan 5 年之前
父節點
75f22285c6
當前提交
a49a325db2
共有 3 個文件被更改,包括 28 次插入0 次删除
分割檢視 顯示文件統計
  1. 4 0
      web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationConverter.java
  2. 8 0
      web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationConverterTests.java
  3. 16 0
      web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationFilterTests.java

+ 4 - 0
web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationConverter.java
查看文件 

@@ -87,6 +87,10 @@ public class BasicAuthenticationConverter implements AuthenticationConverter {
 
 			return null;
 
 		}
 
 
+		if (header.equalsIgnoreCase(AUTHENTICATION_SCHEME_BASIC)) {
 
+			throw new BadCredentialsException("Empty basic authentication token");
 
+		}
 
+
 
 		byte[] base64Token = header.substring(6).getBytes(StandardCharsets.UTF_8);
 
 		byte[] decoded;
 
 		try {

+ 8 - 0
web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationConverterTests.java
查看文件 

@@ -111,4 +111,12 @@ public class BasicAuthenticationConverterTests {
 
 		assertThat(authentication.getName()).isEqualTo("rod");
 
 		assertThat(authentication.getCredentials()).isEqualTo("");
 
 	}
 
+
 
+	@Test(expected = BadCredentialsException.class)
 
+	public void requestWhenEmptyBasicAuthorizationHeaderTokenThenError() {
 
+		MockHttpServletRequest request = new MockHttpServletRequest();
 
+		request.addHeader("Authorization", "Basic ");
 
+		converter.convert(request);
 
+	}
 
+
 
 }

+ 16 - 0
web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationFilterTests.java
查看文件 

@@ -424,4 +424,20 @@ public class BasicAuthenticationFilterTests {
 
 		assertThat(SecurityContextHolder.getContext().getAuthentication()).isNull();
 
 	}
 
 
+	@Test
 
+	public void requestWhenEmptyBasicAuthorizationHeaderTokenThenUnauthorized() throws Exception {
 
+		MockHttpServletRequest request = new MockHttpServletRequest();
 
+		request.addHeader("Authorization", "Basic ");
 
+		request.setServletPath("/some_file.html");
 
+		request.setSession(new MockHttpSession());
 
+		final MockHttpServletResponse response = new MockHttpServletResponse();
 
+
 
+		FilterChain chain = mock(FilterChain.class);
 
+		filter.doFilter(request, response, chain);
 
+		verify(chain, never()).doFilter(any(ServletRequest.class),
 
+				any(ServletResponse.class));
 
+		assertThat(SecurityContextHolder.getContext().getAuthentication()).isNull();
 
+		assertThat(response.getStatus()).isEqualTo(401);
 
+	}
 
+
 
 }