Fix exception for empty basic auth header token

fixes spring-projectsgh-7976
6 years ago · 935c547dde
3 changed files with 28 additions and 0 deletions
--- a/web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationConverter.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationConverter.java
@ -87,6 +87,10 @@ public class BasicAuthenticationConverter implements AuthenticationConverter {
				@@ -87,6 +87,10 @@ public class BasicAuthenticationConverter implements AuthenticationConverter {
 			return null;
 		}

+		if (header.equalsIgnoreCase(AUTHENTICATION_SCHEME_BASIC)) {
+			throw new BadCredentialsException("Empty basic authentication token");
+		}
+
 		byte[] base64Token = header.substring(6).getBytes(StandardCharsets.UTF_8);
 		byte[] decoded;
 		try {
--- a/web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationConverterTests.java
+++ b/web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationConverterTests.java
@ -111,4 +111,12 @@ public class BasicAuthenticationConverterTests {
				@@ -111,4 +111,12 @@ public class BasicAuthenticationConverterTests {
 		assertThat(authentication.getName()).isEqualTo("rod");
 		assertThat(authentication.getCredentials()).isEqualTo("");
 	}
+
+	@Test(expected = BadCredentialsException.class)
+	public void requestWhenEmptyBasicAuthorizationHeaderTokenThenError() {
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		request.addHeader("Authorization", "Basic ");
+		converter.convert(request);
+	}
+
 }
--- a/web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationFilterTests.java
+++ b/web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationFilterTests.java
@ -424,4 +424,20 @@ public class BasicAuthenticationFilterTests {
				@@ -424,4 +424,20 @@ public class BasicAuthenticationFilterTests {
 		assertThat(SecurityContextHolder.getContext().getAuthentication()).isNull();
 	}

+	@Test
+	public void requestWhenEmptyBasicAuthorizationHeaderTokenThenUnauthorized() throws Exception {
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		request.addHeader("Authorization", "Basic ");
+		request.setServletPath("/some_file.html");
+		request.setSession(new MockHttpSession());
+		final MockHttpServletResponse response = new MockHttpServletResponse();
+
+		FilterChain chain = mock(FilterChain.class);
+		filter.doFilter(request, response, chain);
+		verify(chain, never()).doFilter(any(ServletRequest.class),
+				any(ServletResponse.class));
+		assertThat(SecurityContextHolder.getContext().getAuthentication()).isNull();
+		assertThat(response.getStatus()).isEqualTo(401);
+	}
+
 }