Merge pull request #4375 from evolvedbinary/hotfix/http-bearer-auth

dizzzz · web-flow · commit 42e2c186baff · 2022-05-03T22:27:34.000+02:00
Do not override Bearer Authentication with Basic Authentication
diff --git a/exist-core/src/main/java/org/exist/http/servlets/AbstractExistHttpServlet.java b/exist-core/src/main/java/org/exist/http/servlets/AbstractExistHttpServlet.java
@@ -246,9 +246,9 @@ protected Subject authenticate(HttpServletRequest request, HttpServletResponse r
 	        }
         }
 
-        // Secondly try basic authentication
+        // Secondly try basic authentication if there is no Authorization header or the Authorization header does not indicate Basic auth
         final String auth = request.getHeader("Authorization");
-        if (auth == null && getDefaultUser() != null) {
+        if ((auth == null || !auth.toLowerCase().startsWith("basic ")) && getDefaultUser() != null) {
             return getDefaultUser();
         }
         return getAuthenticator().authenticate(request, response, true);
diff --git a/exist-core/src/main/java/org/exist/http/servlets/BasicAuthenticator.java b/exist-core/src/main/java/org/exist/http/servlets/BasicAuthenticator.java
@@ -61,16 +61,16 @@ public Subject authenticate(
 		String password = null;
 
 		try {
-			if (credentials != null && credentials.startsWith("Basic")) {
-				final byte[] c = Base64.decodeBase64(credentials.substring("Basic ".length()));
+			if (credentials != null && credentials.toLowerCase().startsWith("basic ")) {
+				final byte[] c = Base64.decodeBase64(credentials.substring("basic ".length()));
 				final String s = new String(c, UTF_8);
 				// LOG.debug("BASIC auth credentials: "+s);
 				final int p = s.indexOf(':');
 				username = p < 0 ? s : s.substring(0, p);
 				password = p < 0 ? null : s.substring(p + 1);
 			}
 		} catch(final IllegalArgumentException iae) {
-			LOG.warn("Invalid BASIC authentication header received: {}", iae.getMessage(), iae);
+			LOG.warn("Invalid Basic Authentication header received: {}", iae.getMessage(), iae);
 			credentials = null;
 		}
 
diff --git a/exist-core/src/main/java/org/exist/http/urlrewrite/XQueryURLRewrite.java b/exist-core/src/main/java/org/exist/http/urlrewrite/XQueryURLRewrite.java
@@ -179,7 +179,7 @@ protected void service(final HttpServletRequest request, final HttpServletRespon
         } else {
             // Secondly try basic authentication
             final String auth = request.getHeader("Authorization");
-            if (auth != null) {
+            if (auth != null && auth.toLowerCase().startsWith("basic ")) {
                 requestUser = authenticator.authenticate(request, response, sendChallenge);
                 if (requestUser != null) {
                     user = requestUser;
diff --git a/exist-core/src/test/java/org/exist/http/RESTServiceTest.java b/exist-core/src/test/java/org/exist/http/RESTServiceTest.java

Original file line number	Diff line number	Diff line change
`@@ -246,9 +246,9 @@ protected Subject authenticate(HttpServletRequest request, HttpServletResponse r`
`246`	`246`	`}`
`247`	`247`	`}`
`248`	`248`
`249`		`- // Secondly try basic authentication`
	`249`	`+ // Secondly try basic authentication if there is no Authorization header or the Authorization header does not indicate Basic auth`
`250`	`250`	`final String auth = request.getHeader("Authorization");`
`251`		`- if (auth == null && getDefaultUser() != null) {`
	`251`	`+ if ((auth == null \|\| !auth.toLowerCase().startsWith("basic ")) && getDefaultUser() != null) {`
`252`	`252`	`return getDefaultUser();`
`253`	`253`	`}`
`254`	`254`	`return getAuthenticator().authenticate(request, response, true);`