Spring Security
  1. Spring Security
  2. SEC-1446

Malformed Base64 in Basic Authentication header causes BasicAuthenticationFilter to throw a RuntimeException

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 3.0.0, 3.0.1, 3.0.2
    • Fix Version/s: 3.1.0.M1
    • Component/s: Web
    • Labels:
      None

      Description

      Since Base64.decode throws a RuntimeException if it detects bad characters in the input string, org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter throws the RTE if the Authentication header contains malformed base 64. The effect is that http servers return 500 rather than 401.

      My fix just adds an additional check by calling Base64.isBase64, and if that fails, continues processing as if the Authentication header were missing.

        Activity

        Hide
        Luke Taylor added a comment -

        Converted patch to attachment.

        Show
        Luke Taylor added a comment - Converted patch to attachment.
        Hide
        Luke Taylor added a comment -

        I've made changes to treat an invalid header (either bad Base64 or an invalid token) as an authentication failure, which will generally result in the authentication entry point being invoked. Using Base64.isBase64() just decodes the encoded string an additional time which will not be necessary in most cases, so I've elected to trap the exception raised when the characters are invalid instead, throwing BadCredentialsException.

        Show
        Luke Taylor added a comment - I've made changes to treat an invalid header (either bad Base64 or an invalid token) as an authentication failure, which will generally result in the authentication entry point being invoked. Using Base64.isBase64() just decodes the encoded string an additional time which will not be necessary in most cases, so I've elected to trap the exception raised when the characters are invalid instead, throwing BadCredentialsException.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Hugh Winkler
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: