[JBoss JIRA] (WFCORE-1040) Digest authentication mechanism unable to parse headers where username terminated with trailing '\'

Tuesday, 27 October 2015

     [
https://issues.jboss.org/browse/WFCORE-1040?page=com.atlassian.jira.plugi...
]

Darran Lofthouse updated WFCORE-1040:
-------------------------------------
    Summary: Digest authentication mechanism unable to parse headers where username
terminated with trailing '\'  (was: Properties authentication in Security Realms
does not work with username finishing with backslash)

...
 Digest authentication mechanism unable to parse headers where
username terminated with trailing '\'

---------------------------------------------------------------------------------------------------

                 Key: WFCORE-1040
                 URL: https://issues.jboss.org/browse/WFCORE-1040
             Project: WildFly Core
          Issue Type: Bug
          Components: Domain Management, Security
    Affects Versions: 2.0.0.CR5
            Reporter: Ondrej Lukas
            Assignee: Darran Lofthouse
            Priority: Critical
             Fix For: 2.0.0.CR9

 In case when username finish with backslash then properties authentication in security
realm does not work. It works correctly when backslash is used in the middle of username.
 Following expection is thrown:
 {code}
 java.lang.IllegalArgumentException: UT000025: Unexpected token
'delimiters-test", nonce' within header.
 	at io.undertow.util.HeaderTokenParser.parseHeader(HeaderTokenParser.java:68)
 	at
io.undertow.security.impl.DigestAuthorizationToken.parseHeader(DigestAuthorizationToken.java:79)
 	at
io.undertow.security.impl.DigestAuthenticationMechanism.authenticate(DigestAuthenticationMechanism.java:156)
 	at
org.jboss.as.domain.http.server.security.AuthenticationMechanismWrapper.authenticate(AuthenticationMechanismWrapper.java:52)
 	at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
 	at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
 	at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
 	at
io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
 	at
io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
 	at
io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
 	at
io.undertow.security.handlers.AuthenticationCallHandler.handleRequest(AuthenticationCallHandler.java:50)
 	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:198)
 	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:784)
 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
 	at java.lang.Thread.run(Thread.java:745)
 {code} 

--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006