Skip to content

Commit dfa7880

Browse files
zeeshanadnaneleftherias
zeeshanadnan
authored and
eleftherias
committed
Fix exception for empty basic auth header token
fixes gh-7976
1 parent 5e0e5b6 commit dfa7880

File tree

3 files changed

+28
-0
lines changed

3 files changed

+28
-0
lines changed

web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationConverter.java

+4
Original file line numberDiff line numberDiff line change
@@ -87,6 +87,10 @@ public UsernamePasswordAuthenticationToken convert(HttpServletRequest request) {
8787
return null;
8888
}
8989

90+
if (header.equalsIgnoreCase(AUTHENTICATION_SCHEME_BASIC)) {
91+
throw new BadCredentialsException("Empty basic authentication token");
92+
}
93+
9094
byte[] base64Token = header.substring(6).getBytes(StandardCharsets.UTF_8);
9195
byte[] decoded;
9296
try {

web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationConverterTests.java

+8
Original file line numberDiff line numberDiff line change
@@ -111,4 +111,12 @@ public void convertWhenEmptyPassword() {
111111
assertThat(authentication.getName()).isEqualTo("rod");
112112
assertThat(authentication.getCredentials()).isEqualTo("");
113113
}
114+
115+
@Test(expected = BadCredentialsException.class)
116+
public void requestWhenEmptyBasicAuthorizationHeaderTokenThenError() {
117+
MockHttpServletRequest request = new MockHttpServletRequest();
118+
request.addHeader("Authorization", "Basic ");
119+
converter.convert(request);
120+
}
121+
114122
}

web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationFilterTests.java

+16
Original file line numberDiff line numberDiff line change
@@ -424,4 +424,20 @@ public void doFilterWhenTokenAndFilterCharsetDoNotMatchThenUnauthorized() throws
424424
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNull();
425425
}
426426

427+
@Test
428+
public void requestWhenEmptyBasicAuthorizationHeaderTokenThenUnauthorized() throws Exception {
429+
MockHttpServletRequest request = new MockHttpServletRequest();
430+
request.addHeader("Authorization", "Basic ");
431+
request.setServletPath("/some_file.html");
432+
request.setSession(new MockHttpSession());
433+
final MockHttpServletResponse response = new MockHttpServletResponse();
434+
435+
FilterChain chain = mock(FilterChain.class);
436+
filter.doFilter(request, response, chain);
437+
verify(chain, never()).doFilter(any(ServletRequest.class),
438+
any(ServletResponse.class));
439+
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNull();
440+
assertThat(response.getStatus()).isEqualTo(401);
441+
}
442+
427443
}

0 commit comments

Comments
 (0)