[jboss-jira] [JBoss JIRA] (WFLY-5561) Digest authentication mechanism unable to parse headers where username terminated with trailing '\'

Jason Greene (JIRA) issues at jboss.org
Fri Oct 23 14:32:03 EDT 2015 

     [ https://issues.jboss.org/browse/WFLY-5561?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jason Greene updated WFLY-5561:
-------------------------------
    Fix Version/s: 10.0.0.Final
                       (was: 10.0.0.CR4)


> Digest authentication mechanism unable to parse headers where username terminated with trailing '\'
> ---------------------------------------------------------------------------------------------------
>
>                 Key: WFLY-5561
>                 URL: https://issues.jboss.org/browse/WFLY-5561
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 10.0.0.CR3
>            Reporter: Darran Lofthouse
>            Assignee: Darran Lofthouse
>            Priority: Critical
>             Fix For: 10.0.0.Final
>
>
> In case when username finish with backslash then properties authentication in security realm does not work. It works correctly when backslash is used in the middle of username.
> Following expection is thrown:
> {code}
> java.lang.IllegalArgumentException: UT000025: Unexpected token 'delimiters-test", nonce' within header.
> 	at io.undertow.util.HeaderTokenParser.parseHeader(HeaderTokenParser.java:68)
> 	at io.undertow.security.impl.DigestAuthorizationToken.parseHeader(DigestAuthorizationToken.java:79)
> 	at io.undertow.security.impl.DigestAuthenticationMechanism.authenticate(DigestAuthenticationMechanism.java:156)
> 	at org.jboss.as.domain.http.server.security.AuthenticationMechanismWrapper.authenticate(AuthenticationMechanismWrapper.java:52)
> 	at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
> 	at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
> 	at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
> 	at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
> 	at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
> 	at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
> 	at io.undertow.security.handlers.AuthenticationCallHandler.handleRequest(AuthenticationCallHandler.java:50)
> 	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:198)
> 	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:784)
> 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> 	at java.lang.Thread.run(Thread.java:745)
> {code}



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list