AbstractHTTPDestination not propperly handling zero-length passwords in Basic
Authorization header
--------------------------------------------------------------------------------------------------
Key: CXF-1495
URL: https://issues.apache.org/jira/browse/CXF-1495
Project: CXF
Issue Type: Bug
Components: Transports
Environment: Snapshot 30 Jan, 2008
Reporter: Chris Wolf
Priority: Minor
When deployin the CXF servlet to a Siteminder-protected web app, Siteminder
will modify the Basic Authorization
header and blank out the password since subsequent requests are already
authenticated via the encrypted
Siteminder cookie. Zero-lenght passwords in the Basic Authorization headers
are permitted per RFC-2617:
http://www.rfc.net/rfc2617.html#p5
The symptom is the following stace trace:
ava.lang.ArrayIndexOutOfBoundsException: 1
org.apache.cxf.transport.http.AbstractHTTPDestination.setHeaders(AbstractHTTPDestination.java:137)
org.apache.cxf.transport.http.AbstractHTTPDestination.setupMessage(AbstractHTTPDestination.java:286)
org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:82)
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:213)
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:150)
org.apache.cxf.transport.servlet.AbstractCXFServlet.invoke(AbstractCXFServlet.java:170)
org.apache.cxf.transport.servlet.AbstractCXFServlet.doPost(AbstractCXFServlet.java:148)
javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
The fix is to change one line in:
org.apache.cxf.transport.http.AbstractHTTPDestination, line 137 (snapshot
2008-01-30)
Change the line from:
String password = authInfo[1];
...to:
String password = (authInfo.length>1?authInfo[1]:"");
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
