Acasă Explorează Ajutor
Înregistrare Autentificare
github
/
spring-security
oglindă de https://github.com/spring-projects/spring-security
2
0
Bifurcare 0
Fisiere Probleme 0 Wiki
Răsfoiți Sursa

SEC-1285: minor vulnerability in BasicProcessingFilter. Changed logging of Basic authentication information.

Luke Taylor 15 ani în urmă
părinte
afdd80235c
comite
d84542cf88
1 a modificat fișierele cu 9 adăugiri și 8 ștergeri
Vizualizare divizată Arată Statisticile Diff
  1. 9 8
      web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationFilter.java

+ 9 - 8
web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationFilter.java
Vizualizați fișierul 

@@ -109,15 +109,12 @@ public class BasicAuthenticationFilter extends GenericFilterBean {
 
 
     public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
 
             throws IOException, ServletException {
 
-        HttpServletRequest request = (HttpServletRequest) req;
 
-        HttpServletResponse response = (HttpServletResponse) res;
 
+        final boolean debug = logger.isDebugEnabled();
 
+        final HttpServletRequest request = (HttpServletRequest) req;
 
+        final HttpServletResponse response = (HttpServletResponse) res;
 
 
         String header = request.getHeader("Authorization");
 
 
-        if (logger.isDebugEnabled()) {
 
-            logger.debug("Authorization header: " + header);
 
-        }
 
-
 
         if ((header != null) && header.startsWith("Basic ")) {
 
             byte[] base64Token = header.substring(6).getBytes("UTF-8");
 
             String token = new String(Base64.decodeBase64(base64Token), getCredentialsCharset(request));
 
@@ -131,6 +128,10 @@ public class BasicAuthenticationFilter extends GenericFilterBean {
 
                 password = token.substring(delim + 1);
 
             }
 
 
+            if (debug) {
 
+                logger.debug("Basic Authentication Authorization header found for user '" + username + "'");
 
+            }
 
+
 
             if (authenticationIsRequired(username)) {
 
                 UsernamePasswordAuthenticationToken authRequest =
 
                         new UsernamePasswordAuthenticationToken(username, password);
 
@@ -142,7 +143,7 @@ public class BasicAuthenticationFilter extends GenericFilterBean {
 
                     authResult = authenticationManager.authenticate(authRequest);
 
                 } catch (AuthenticationException failed) {
 
                     // Authentication failed
 
-                    if (logger.isDebugEnabled()) {
 
+                    if (debug) {
 
                         logger.debug("Authentication request for user: " + username + " failed: " + failed.toString());
 
                     }
 
 
@@ -162,7 +163,7 @@ public class BasicAuthenticationFilter extends GenericFilterBean {
 
                 }
 
 
                 // Authentication success
 
-                if (logger.isDebugEnabled()) {
 
+                if (debug) {
 
                     logger.debug("Authentication success: " + authResult.toString());
 
                 }