JBoss Remoting
  1. JBoss Remoting
  2. JBREM-806

In HTTPClientInvoker remove newlines and carriage returns from Base64 encoded user names and passwords

    Details

    • Type: Bug Bug
    • Status: Closed Closed (View Workflow)
    • Priority: Major Major
    • Resolution: Done
    • Affects Version/s: 2.2.2.GA, 2.4.0.Beta1 (Pinto)
    • Fix Version/s: 2.4.0.Beta1 (Pinto)
    • Component/s: None
    • Security Level: Public (Everyone can see)
    • Labels:
      None
    • Similar Issues:
      Show 9 results 

      Description

      This public issue duplicates patch JBREM-791.

      Long username and passwords cause the HTTPClientInvoker to fail. This is because the string returned from org.jboss.util.Base64.encodeBytes contains new line characters. According to the HTTP specification, the Base64 encoded string for Basic authentication should not be broken into lines at 76 characters as is the case for MIME data. This is a one line fix in the HTTPClientInvoker class, and we are running into this issue and need a patch.

      ---------
      RFC 2617: http://www.ietf.org/rfc/rfc2617.txt

      To receive authorization, the client sends the userid and password,
      separated by a single colon (":") character, within a base64 [7]
      encoded string in the credentials.

      basic-credentials = base64-user-pass
      base64-user-pass = <base64 [4] encoding of user-pass,
      except not limited to 76 char/line>
      user-pass = userid ":" password
      userid = *<TEXT excluding ":">
      password = *TEXT

      ---------
      This can be reproduced by using a username / password combination larger than 76 characters to access a web service using BASIC authentication.

      ---------
      Solution: org.jboss.util.Base64.encodeBytes() takes an optional "options" parameter, which, among other things, can indicate that Base64 encoded strings should not be broken into lines:

      change

      String encoded = Base64.encodeBytes(buffer.toString().getBytes());

      to

      String encoded = Base64.encodeBytes(buffer.toString().getBytes(), Base64.DONT_BREAK_LINES);

      Unit test: org.jboss.test.remoting.transport.http.authorization.BASICAuthorizationTestCase.

        Activity

        Hide
        Ron Sigal
        added a comment -

        Fix has already been applied to branches remoting_2_2_0_GA (and incorporated into release 2.2.2.GA) and remoting_2_x.

        Unit test passes on cruisecontrol.

        Show
        Ron Sigal
        added a comment - Fix has already been applied to branches remoting_2_2_0_GA (and incorporated into release 2.2.2.GA) and remoting_2_x. Unit test passes on cruisecontrol.

          People

          • Assignee:
            Ron Sigal
            Reporter:
            Ron Sigal
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: