Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-6086

(Fuse 6.2.1) SwitchYard HTTP Basic Auth is case-sensitive, in violation of rfc2617

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: jboss-fuse-6.2.1
    • Fix Version/s: jboss-fuse-6.2.1
    • Component/s: SwitchYard
    • Labels:
      None
    • Steps to Reproduce:
      Hide

      Use the quickstart 'policy-security-basic'.
      1) Run the quickstart as designed. Note that the test that provides credentials passes.
      2) Edit WorkServiceMain.java, replacing 'Basic' with 'BASIC':
      //http.setRequestHeader("Authorization", "Basic " + Base64.encodeFromString(userPass[0] + ":" + userPass[1]));
      http.setRequestHeader("Authorization", "BASIC " + Base64.encodeFromString(userPass[0] + ":" + userPass[1]));

      Run the test again. It will now fail.

      Show
      Use the quickstart 'policy-security-basic'. 1) Run the quickstart as designed. Note that the test that provides credentials passes. 2) Edit WorkServiceMain.java, replacing 'Basic' with 'BASIC': //http.setRequestHeader("Authorization", "Basic " + Base64.encodeFromString(userPass [0] + ":" + userPass [1] )); http.setRequestHeader("Authorization", "BASIC " + Base64.encodeFromString(userPass [0] + ":" + userPass [1] )); Run the test again. It will now fail.
    • Security Sensitive Issue:
      This issue is security relevant

      Description

      rfc2617 [1] specifically states that the 'Basic' token should be case-insensitive, but SwitchYard is rejecting requests that use 'BASIC' instead of 'Basic'.

      This is causing a compatibility issue for a customer that relies upon the behavior previously noted with SOA-P. (Case insensitive, per the spec.)

      --------------------
      1.2 Access Authentication Framework

      HTTP provides a simple challenge-response authentication mechanism
      that MAY be used by a server to challenge a client request and by a
      client to provide authentication information. It uses an extensible,
      case-insensitive token to identify the authentication scheme.......
      -------------------------

      [1] https://www.ietf.org/rfc/rfc2617.txt

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                tcunning Thomas Cunningham
                Reporter:
                rick_wagner Rick Wagner
                Tester:
                Stefan Veres
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: