Merge pull request #3179 from ControlSystemStudio/native-http-client-fix

georgweiss · web-flow · commit f20616203d9e · 2024-10-29T14:47:09.000+01:00
Need URL encoding in username/password when authenticating with native HttpClient
diff --git a/app/save-and-restore/app/src/main/java/org/phoebus/applications/saveandrestore/authentication/SaveAndRestoreAuthenticationProvider.java b/app/save-and-restore/app/src/main/java/org/phoebus/applications/saveandrestore/authentication/SaveAndRestoreAuthenticationProvider.java
@@ -34,16 +34,18 @@
 public class SaveAndRestoreAuthenticationProvider implements ServiceAuthenticationProvider {
 
     @Override
-    public void authenticate(String username, String password){
+    public void authenticate(String username, String password) {
         SaveAndRestoreService saveAndRestoreService = SaveAndRestoreService.getInstance();
         try {
             UserData userData = saveAndRestoreService.authenticate(username, password);
             Logger.getLogger(SaveAndRestoreAuthenticationProvider.class.getName())
                     .log(Level.INFO, "User " + userData.getUserName() + " successfully signed in");
         } catch (Exception e) {
+            // NOTE!!! Exception message and/or stack trace could contain request URL and consequently
+            // user's password, so do not log or propagate it.
             Logger.getLogger(SaveAndRestoreAuthenticationProvider.class.getName())
-                    .log(Level.WARNING, "Failed to authenticate user " + username + " against save&restore service", e);
-            throw new RuntimeException(e);
+                    .log(Level.WARNING, "Failed to authenticate user " + username + " with save&restore service");
+            throw new RuntimeException("Failed to authenticate user " + username + " with save&restore service");
         }
     }
 
@@ -53,7 +55,7 @@ public void logout(String token) {
     }
 
     @Override
-    public AuthenticationScope getAuthenticationScope(){
+    public AuthenticationScope getAuthenticationScope() {
         return AuthenticationScope.SAVE_AND_RESTORE;
     }
 
diff --git a/app/save-and-restore/app/src/main/java/org/phoebus/applications/saveandrestore/client/SaveAndRestoreClientImpl.java b/app/save-and-restore/app/src/main/java/org/phoebus/applications/saveandrestore/client/SaveAndRestoreClientImpl.java
@@ -34,9 +34,11 @@
 import java.net.CookieManager;
 import java.net.CookiePolicy;
 import java.net.URI;
+import java.net.URLEncoder;
 import java.net.http.HttpClient;
 import java.net.http.HttpRequest;
 import java.net.http.HttpResponse;
+import java.nio.charset.StandardCharsets;
 import java.time.Duration;
 import java.util.Base64;
 import java.util.List;
@@ -582,9 +584,9 @@ public List<Node> deleteTag(TagData tagData) {
     public UserData authenticate(String userName, String password) {
         String stringBuilder = Preferences.jmasarServiceUrl +
                 "/login?username=" +
-                userName +
+                URLEncoder.encode(userName, StandardCharsets.UTF_8) +
                 "&password=" +
-                password;
+                URLEncoder.encode(password, StandardCharsets.UTF_8);
         HttpRequest request = HttpRequest.newBuilder()
                 .uri(URI.create(stringBuilder))
                 .POST(HttpRequest.BodyPublishers.noBody())
