Bug 1150024
| Summary: | HeaderParser fails to handle delimiters in DigestAuthenticator | ||
|---|---|---|---|
| Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | Josef Cacek <jcacek> |
| Component: | Domain Management, Security | Assignee: | Darran Lofthouse <darran.lofthouse> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Pavel Slavicek <pslavice> |
| Severity: | urgent | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.3.1 | CC: | dandread, darran.lofthouse, jason.greene, kkhan, pkremens |
| Target Milestone: | DR11 | ||
| Target Release: | EAP 6.4.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Previous versions of JBoss EAP 6 carried a bug in the Digest authenticator which caused it to not correctly handle escaped delimiters within values contained in the authentication header.
Additionally, the add-user utility was not correctly escaping usernames that contained the 'backslash' character (\).
As a result, valid authentication requests were being incorrectly rejected.
In this release, the parsing of the headers has been re-worked within the Digest authentication mechanism and the add-user utility now correctly escapes the 'backslash' character in usernames allowing authentication to occur as expected.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Josef Cacek
2014-10-07 09:35:36 UTC
I am setting to assigned so that I can investigate further - however I do not agree that in any way this can be considered a blocker. If there was a critical need for usernames in this form we would have heard about it already. This could help:
diff --git a/domain-http/interface/src/main/java/org/jboss/as/domain/http/server/security/DigestAuthenticator.java b/domain-http/interface/src/main/java/org/jboss/as/domain/http/server/security/DigestAuthent
index 30551fb..6c8b30b 100644
--- a/domain-http/interface/src/main/java/org/jboss/as/domain/http/server/security/DigestAuthenticator.java
+++ b/domain-http/interface/src/main/java/org/jboss/as/domain/http/server/security/DigestAuthenticator.java
@@ -387,7 +387,7 @@ public class DigestAuthenticator extends Authenticator {
response.value = message.substring(pos + 1, endQuote);
// Move pos after DELIMITER.
- int nextDelimeter = message.indexOf(DELIMITER, pos);
+ int nextDelimeter = message.indexOf(DELIMITER, endQuote);
if (nextDelimeter > 0) {
pos = nextDelimeter + 1;
}
The fix is not sufficient. There is another problem with backslash (\) as a last character in the value. Parser then takes it as a escape character for ending quote. It's wrong, because the backslash itself is escaped in the value - "\\". Use steps from comment 0 to reproduce, just add a new user to mgmt-users.properties: ab\\=anil And authenticate with "ab\", "anil" credentials. Stuart Douglas <stuart.w.douglas> updated the status of jira WFLY-3969 to Resolved It's not a blocker. |