From 4dee333a75121f4f6ceb4f62e2da4744a6fda2c6 Mon Sep 17 00:00:00 2001 From: Norman Soetbeer Date: Wed, 25 Oct 2017 21:28:07 +0200 Subject: [PATCH] Allow empty usernames for BasicAuth The RFCs around basic authentication don't explicitly disallow empty usernames. On the other hand usernames containing colons are, as colons are used to separate the username from the password. --- .../support/BasicAuthorizationInterceptor.java | 6 +++--- .../BasicAuthorizationInterceptorTests.java | 14 +++++++------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/spring-web/src/main/java/org/springframework/http/client/support/BasicAuthorizationInterceptor.java b/spring-web/src/main/java/org/springframework/http/client/support/BasicAuthorizationInterceptor.java index 5ebb76a3a61..b29a412732c 100644 --- a/spring-web/src/main/java/org/springframework/http/client/support/BasicAuthorizationInterceptor.java +++ b/spring-web/src/main/java/org/springframework/http/client/support/BasicAuthorizationInterceptor.java @@ -46,9 +46,9 @@ public class BasicAuthorizationInterceptor implements ClientHttpRequestIntercept * @param username the username to use * @param password the password to use */ - public BasicAuthorizationInterceptor(String username, @Nullable String password) { - Assert.hasLength(username, "Username must not be empty"); - this.username = username; + public BasicAuthorizationInterceptor(@Nullable String username, @Nullable String password) { + Assert.doesNotContain(username, ":", "Username must not contain a colon"); + this.username = (username != null ? username : ""); this.password = (password != null ? password : ""); } diff --git a/spring-web/src/test/java/org/springframework/http/client/support/BasicAuthorizationInterceptorTests.java b/spring-web/src/test/java/org/springframework/http/client/support/BasicAuthorizationInterceptorTests.java index ce96460dc0c..844fd8aa929 100644 --- a/spring-web/src/test/java/org/springframework/http/client/support/BasicAuthorizationInterceptorTests.java +++ b/spring-web/src/test/java/org/springframework/http/client/support/BasicAuthorizationInterceptorTests.java @@ -43,17 +43,17 @@ public class BasicAuthorizationInterceptorTests { public ExpectedException thrown = ExpectedException.none(); @Test - public void createWhenUsernameIsNullShouldThrowException() { + public void createWhenUsernameContainsColonShouldThrowException() { this.thrown.expect(IllegalArgumentException.class); - this.thrown.expectMessage("Username must not be empty"); - new BasicAuthorizationInterceptor(null, "password"); + this.thrown.expectMessage("Username must not contain a colon"); + new BasicAuthorizationInterceptor("username:", "password"); } @Test - public void createWhenUsernameIsEmptyShouldThrowException() throws Exception { - this.thrown.expect(IllegalArgumentException.class); - this.thrown.expectMessage("Username must not be empty"); - new BasicAuthorizationInterceptor("", "password"); + public void createWhenUsernameIsNullShouldUseEmptyUsername() throws Exception { + BasicAuthorizationInterceptor interceptor = new BasicAuthorizationInterceptor( + null, "password"); + assertEquals("", new DirectFieldAccessor(interceptor).getPropertyValue("username")); } @Test