Bug 1150024
Summary: | HeaderParser fails to handle delimiters in DigestAuthenticator | ||
---|---|---|---|
Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | Josef Cacek <jcacek> |
Component: | Domain Management, Security | Assignee: | Darran Lofthouse <darran.lofthouse> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Pavel Slavicek <pslavice> |
Severity: | urgent | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.3.1 | CC: | dandread, darran.lofthouse, jason.greene, kkhan, pkremens |
Target Milestone: | DR11 | ||
Target Release: | EAP 6.4.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Previous versions of JBoss EAP 6 carried a bug in the Digest authenticator which caused it to not correctly handle escaped delimiters within values contained in the authentication header.
Additionally, the add-user utility was not correctly escaping usernames that contained the 'backslash' character (\).
As a result, valid authentication requests were being incorrectly rejected.
In this release, the parsing of the headers has been re-worked within the Digest authentication mechanism and the add-user utility now correctly escapes the 'backslash' character in usernames allowing authentication to occur as expected.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | Bug | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Josef Cacek
2014-10-07 09:35:36 UTC
I am setting to assigned so that I can investigate further - however I do not agree that in any way this can be considered a blocker. If there was a critical need for usernames in this form we would have heard about it already. This could help: diff --git a/domain-http/interface/src/main/java/org/jboss/as/domain/http/server/security/DigestAuthenticator.java b/domain-http/interface/src/main/java/org/jboss/as/domain/http/server/security/DigestAuthent index 30551fb..6c8b30b 100644 --- a/domain-http/interface/src/main/java/org/jboss/as/domain/http/server/security/DigestAuthenticator.java +++ b/domain-http/interface/src/main/java/org/jboss/as/domain/http/server/security/DigestAuthenticator.java @@ -387,7 +387,7 @@ public class DigestAuthenticator extends Authenticator { response.value = message.substring(pos + 1, endQuote); // Move pos after DELIMITER. - int nextDelimeter = message.indexOf(DELIMITER, pos); + int nextDelimeter = message.indexOf(DELIMITER, endQuote); if (nextDelimeter > 0) { pos = nextDelimeter + 1; } The fix is not sufficient. There is another problem with backslash (\) as a last character in the value. Parser then takes it as a escape character for ending quote. It's wrong, because the backslash itself is escaped in the value - "\\". Use steps from comment 0 to reproduce, just add a new user to mgmt-users.properties: ab\\=anil And authenticate with "ab\", "anil" credentials. Stuart Douglas <stuart.w.douglas> updated the status of jira WFLY-3969 to Resolved It's not a blocker. |