Merge remote-tracking branch ppkarwasz/basic-auth into 2.x (#1970)

Author: vy

log4j-core/src/main/java/org/apache/logging/log4j/core/util/BasicAuthorizationProvider.java

@@ -16,10 +16,13 @@
  */
 package org.apache.logging.log4j.core.util;
 
+import static java.nio.charset.StandardCharsets.UTF_8;
+
 import java.net.URLConnection;
+import java.nio.charset.Charset;
+import java.util.Base64;
 import org.apache.logging.log4j.Logger;
 import org.apache.logging.log4j.status.StatusLogger;
-import org.apache.logging.log4j.util.Base64Util;
 import org.apache.logging.log4j.util.LoaderUtil;
 import org.apache.logging.log4j.util.PropertiesUtil;
 
@@ -34,6 +37,11 @@ public class BasicAuthorizationProvider implements AuthorizationProvider {
     public static final String CONFIG_USER_NAME = "log4j2.configurationUserName";
     public static final String CONFIG_PASSWORD = "log4j2.configurationPassword";
     public static final String PASSWORD_DECRYPTOR = "log4j2.passwordDecryptor";
+    /*
+     * Properties used to specify the encoding in HTTP Basic Authentication
+     */
+    private static final String BASIC_AUTH_ENCODING = "log4j2.configurationAuthorizationEncoding";
+    private static final String SPRING_BASIC_AUTH_ENCODING = "logging.auth.encoding";
 
     private static final Logger LOGGER = StatusLogger.getLogger();
 
@@ -46,6 +54,11 @@ public BasicAuthorizationProvider(final PropertiesUtil props) {
                 props.getStringProperty(PREFIXES, AUTH_PASSWORD, () -> props.getStringProperty(CONFIG_PASSWORD));
         final String decryptor = props.getStringProperty(
                 PREFIXES, AUTH_PASSWORD_DECRYPTOR, () -> props.getStringProperty(PASSWORD_DECRYPTOR));
+        // Password encoding
+        Charset passwordCharset = props.getCharsetProperty(BASIC_AUTH_ENCODING);
+        if (passwordCharset == null) {
+            props.getCharsetProperty(SPRING_BASIC_AUTH_ENCODING, UTF_8);
+        }
         if (decryptor != null) {
             try {
                 final Object obj = LoaderUtil.newInstanceOf(decryptor);
@@ -57,7 +70,13 @@ public BasicAuthorizationProvider(final PropertiesUtil props) {
             }
         }
         if (userName != null && password != null) {
-            authString = "Basic " + Base64Util.encode(userName + ":" + password);
+            /*
+             * https://datatracker.ietf.org/doc/html/rfc7617#appendix-B
+             *
+             * If the user didn't specify a charset to use, we fallback to UTF-8
+             */
+            authString = "Basic "
+                    + Base64.getEncoder().encodeToString((userName + ":" + password).getBytes(passwordCharset));
         }
     }
 

src/changelog/.2.x.x/change_basic_auth_encoding.xml

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<entry xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xmlns="http://logging.apache.org/log4j/changelog"
+       xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.2.xsd"
+       type="changed">
+  <issue id="1970" link="https://github.com/apache/logging-log4j2/issues/1970"/>
+  <description format="asciidoc">
+    Change default encoding of HTTP Basic Authentication to UTF-8 and add `log4j2.configurationAuthorizationEncoding` property to overwrite it.
+  </description>
+</entry>

src/site/_release-notes/_2.x.x.adoc

@@ -47,6 +47,7 @@ The module name of four bridges (`log4j-slf4j-impl`, `log4j-slf4j2-impl`, `log4j
 === Changed
 
 * Change the order of evaluation of `FormattedMessage` formatters. Messages are evaluated using `java.util.Format` only if they don't comply to the `java.text.MessageFormat` or `ParameterizedMessage` format. (https://github.com/apache/logging-log4j2/issues/1223[1223])
+* Change default encoding of HTTP Basic Authentication to UTF-8 and add `log4j2.configurationAuthorizationEncoding` property to overwrite it. (https://github.com/apache/logging-log4j2/issues/1970[1970])
 * Update `com.fasterxml.jackson:jackson-bom` to version `2.16.0` (https://github.com/apache/logging-log4j2/pull/1974[1974])
 * Update `com.github.luben:zstd-jni` to version `1.5.5-10` (https://github.com/apache/logging-log4j2/pull/1940[1940])
 * Update `com.google.guava:guava` to version `32.1.3-jre` (https://github.com/apache/logging-log4j2/pull/1875[1875])

src/site/markdown/log4j-spring-cloud-config-client.md

@@ -66,7 +66,8 @@ the alternatives may be used in any configuration location.
 |----------|---------|---------|---------|
 | log4j2.configurationUserName | log4j2.config.username | logging.auth.username | User name for basic authentication |
 | log4j2.configurationPassword | log4j2.config.password | logging.auth.password | Password for basic authentication |
-| log4j2.authorizationProvider | log4j2.config.authorizationProvider | logging.auth.authorizationProvider | Class used to create HTTP Authorization header |
+| log4j2.configurationAuthorizationEncoding | | logging.auth.encoding | Encoding for basic authentication (defaults to UTF-8) |
+| log4j2.configurationAuthorizationProvider | log4j2.config.authorizationProvider | logging.auth.authorizationProvider | Class used to create HTTP Authorization header |
 
 ```
 log4j2.configurationUserName=guest

src/site/xdoc/manual/configuration.xml.vm

@@ -2127,6 +2127,14 @@ public class AwesomeTest {
       "https, file, jar". To completely prevent accessing the configuration via a URL specify a value of "_none".
     </td>
   </tr>
+  <tr>
+    <td><a name="log4j2.configurationAuthorizationEncoding"/>log4j2.configurationAuthorizationEncoding</td>
+    <td>LOG4J_CONFIGURATION_AUTHORIZATION_ENCODING</td>
+    <td>UTF-8</td>
+    <td>
+      The encoding used in Basic Authentication (cf. <a href="https://datatracker.ietf.org/doc/html/rfc7617">RFC 7617</a>).
+    </td>
+  </tr>
   <tr>
     <td><a name="configurationAuthorizationProvider"/>log4j2.Configuration.authorizationProvider
       <br />