Skip to content

BasicAuthenticationFilter ignores credentials charset #7835

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
peterkeller opened this issue Jan 16, 2020 · 1 comment · Fixed by #7846
Closed

BasicAuthenticationFilter ignores credentials charset #7835

peterkeller opened this issue Jan 16, 2020 · 1 comment · Fixed by #7846
Labels
status: backported An issue that has been backported to maintenance branches status: first-timers-only An issue that can only be worked on by brand new contributors type: bug A general bug
Milestone
5.3.0.RC1

Comments

@peterkeller
Copy link
Contributor

Summary

BasicAuthenticationConverter in BasicAuthenticationFilter ignores given credentials charset.

Actual Behavior

We try to override the credential charset using an ObjectPostProcessor:

httpSecurity
     .httpBasic()
     .addObjectPostProcessor(
          new ObjectPostProcessor<BasicAuthenticationFilter>() {
               @Override
                public <O extends BasicAuthenticationFilter> O postProcess(O filter) {
                    filter.setCredentialsCharset("ISO-8859-1"); // <-- try to override default charset
                    return filter;
                }
           }
      );

Actual implementation of BasicAuthenticationFilter#setCredentialsCharset:

public void setCredentialsCharset(String credentialsCharset) {
    Assert.hasText(credentialsCharset, "credentialsCharset cannot be null or empty");
    this.credentialsCharset = credentialsCharset;
}

However, the given credentialCharset is never used in BasicAuthenticationFilter and especially not in BasicAuthenticationFilter#BasicAuthenticationConverter. So, the token is read with the default charset UTF-8 and not as needed with ISO-8859-1.

Expected Behavior

Corrected BasicAuthenticationFilter#setCredentialsCharset:

public void setCredentialsCharset(String credentialsCharset) {
    Assert.hasText(credentialsCharset, "credentialsCharset cannot be null or empty");
    this.credentialsCharset = credentialsCharset; // <-- is never used
    authenticationConverter.setCredentialsCharset(credentialsCharset); // <-- bugfix
}

Version

v5.2.0 - v5.2.1
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jan 16, 2020
@fhanik fhanik added status: first-timers-only An issue that can only be worked on by brand new contributors type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Jan 16, 2020
@fhanik
Copy link
Contributor

fhanik commented Jan 16, 2020

Thank you for the report. This is great starting contribution opportunity.

Add a test case to BasicAuthenticationFilterTests.
You can use ReflectionTestUtils to see the value of the filter.authenticationConverter.credentialsCharset field.

@fhanik fhanik added this to the 5.3.0.RC1 milestone Jan 16, 2020
@peterkeller peterkeller mentioned this issue Jan 18, 2020
Merged
eleftherias pushed a commit that referenced this issue Jan 23, 2020
@peterkeller @eleftherias
Set charset of BasicAuthenticationFilter converter
e62fb75 
Allow BasicAuthenticationFilter to pick up the given credentials charset.

Fixes: gh-7835
eleftherias pushed a commit that referenced this issue Jan 23, 2020
@peterkeller @eleftherias
Set charset of BasicAuthenticationFilter converter
2dbedf7 
Allow BasicAuthenticationFilter to pick up the given credentials charset.

Fixes: gh-7835
@spring-projects-issues spring-projects-issues added the status: backported An issue that has been backported to maintenance branches label Jan 23, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: backported An issue that has been backported to maintenance branches status: first-timers-only An issue that can only be worked on by brand new contributors type: bug A general bug
Projects
None yet
Milestone
5.3.0.RC1
Development

Successfully merging a pull request may close this issue.

Set credentials charset of authentication converter peterkeller/spring-security
3 participants
@fhanik @peterkeller @spring-projects-issues