[jboss-jira] [JBoss JIRA] Created: (JBAS-6569) Wrong coded Basic Authentication header gives an OK header back

Magnus Runesson (JIRA) jira-events at lists.jboss.org
Wed Mar 4 05:16:22 EST 2009 

Wrong coded Basic Authentication header gives an OK header back
---------------------------------------------------------------

                 Key: JBAS-6569
                 URL: https://jira.jboss.org/jira/browse/JBAS-6569
             Project: JBoss Application Server
          Issue Type: Bug
      Security Level: Public (Everyone can see)
    Affects Versions: JBossAS-4.2.3.GA
         Environment: Linux Red Hat Enterprise 5
            Reporter: Magnus Runesson
            Priority: Minor


Assume a client post a HTTP-POST-request with an basic authorization header (Authorization: Basic) where the authorizationstring is not properly encoded, i.e. including non BASE-64-characters.

The response from JBoss is a 200 OK code and transfer-encoding chunked, ie:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Transfer-Encoding: chunked


It should return a HTTP error 400-code.


>From web.xml:
<security-constraint>
     <web-resource-collection>
       <web-resource-name>alert</web-resource-name>
       <description>Security config for KEPS.</description>
       <url-pattern>/path/*</url-pattern>
       <url-pattern>/path</url-pattern>
       <http-method>POST</http-method>
       <http-method>DELETE</http-method>
       <http-method>PUT</http-method>
     </web-resource-collection>
     <auth-constraint>
       <role-name>foo</role-name>
     </auth-constraint>
     <!-- <user-data-constraint>
       <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>  -->
   </security-constraint>

<security-role>
   	 <description>Role for that are allowed to post thunder warnings.</description>
     <role-name>foo</role-name>
   </security-role>
<login-config>
   <auth-method>BASIC</auth-method>
        <realm-name>KEPS</realm-name>
   </login-config>



-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list