| /* |
| * Licensed to the Apache Software Foundation (ASF) under one or more |
| * contributor license agreements. See the NOTICE file distributed with |
| * this work for additional information regarding copyright ownership. |
| * The ASF licenses this file to You under the Apache License, Version 2.0 |
| * (the "License"); you may not use this file except in compliance with |
| * the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| package org.apache.catalina.authenticator; |
| |
| import java.io.IOException; |
| import java.nio.charset.StandardCharsets; |
| |
| import org.junit.Assert; |
| import org.junit.Test; |
| |
| import org.apache.tomcat.util.buf.ByteChunk; |
| import org.apache.tomcat.util.codec.binary.Base64; |
| |
| /** |
| * Test the BasicAuthenticator's BasicCredentials inner class and the |
| * associated Base64 decoder. |
| */ |
| public class TestBasicAuthParser { |
| |
| private static final String NICE_METHOD = "Basic"; |
| private static final String USER_NAME = "userid"; |
| private static final String PASSWORD = "secret"; |
| |
| /* |
| * test cases with good BASIC Auth credentials - Base64 strings |
| * can have zero, one or two trailing pad characters |
| */ |
| @Test |
| public void testGoodCredentials() throws Exception { |
| final BasicAuthHeader AUTH_HEADER = |
| new BasicAuthHeader(NICE_METHOD, USER_NAME, PASSWORD); |
| BasicAuthenticator.BasicCredentials credentials = |
| new BasicAuthenticator.BasicCredentials( |
| AUTH_HEADER.getHeader()); |
| Assert.assertEquals(USER_NAME, credentials.getUsername()); |
| Assert.assertEquals(PASSWORD, credentials.getPassword()); |
| } |
| |
| @Test |
| public void testGoodCredentialsNoPassword() throws Exception { |
| final BasicAuthHeader AUTH_HEADER = |
| new BasicAuthHeader(NICE_METHOD, USER_NAME, null); |
| BasicAuthenticator.BasicCredentials credentials = |
| new BasicAuthenticator.BasicCredentials( |
| AUTH_HEADER.getHeader()); |
| Assert.assertEquals(USER_NAME, credentials.getUsername()); |
| Assert.assertNull(credentials.getPassword()); |
| } |
| |
| @Test |
| public void testGoodCrib() throws Exception { |
| final String BASE64_CRIB = "dXNlcmlkOnNlY3JldA=="; |
| final BasicAuthHeader AUTH_HEADER = |
| new BasicAuthHeader(NICE_METHOD, BASE64_CRIB); |
| BasicAuthenticator.BasicCredentials credentials = |
| new BasicAuthenticator.BasicCredentials( |
| AUTH_HEADER.getHeader()); |
| Assert.assertEquals(USER_NAME, credentials.getUsername()); |
| Assert.assertEquals(PASSWORD, credentials.getPassword()); |
| } |
| |
| @Test |
| public void testGoodCribUserOnly() throws Exception { |
| final String BASE64_CRIB = "dXNlcmlk"; |
| final BasicAuthHeader AUTH_HEADER = |
| new BasicAuthHeader(NICE_METHOD, BASE64_CRIB); |
| BasicAuthenticator.BasicCredentials credentials = |
| new BasicAuthenticator.BasicCredentials( |
| AUTH_HEADER.getHeader()); |
| Assert.assertEquals(USER_NAME, credentials.getUsername()); |
| Assert.assertNull(credentials.getPassword()); |
| } |
| |
| @Test |
| public void testGoodCribOnePad() throws Exception { |
| final String PASSWORD1 = "secrets"; |
| final String BASE64_CRIB = "dXNlcmlkOnNlY3JldHM="; |
| final BasicAuthHeader AUTH_HEADER = |
| new BasicAuthHeader(NICE_METHOD, BASE64_CRIB); |
| BasicAuthenticator.BasicCredentials credentials = |
| new BasicAuthenticator.BasicCredentials( |
| AUTH_HEADER.getHeader()); |
| Assert.assertEquals(USER_NAME, credentials.getUsername()); |
| Assert.assertEquals(PASSWORD1, credentials.getPassword()); |
| } |
| |
| /* |
| * RFC 2045 says the Base64 encoded string should be represented |
| * as lines of no more than 76 characters. However, RFC 2617 |
| * says a base64-user-pass token is not limited to 76 char/line. |
| * It also says all line breaks, including mandatory ones, |
| * should be ignored during decoding. |
| * This test case has a line break in the Base64 string. |
| * (See also testGoodCribBase64Big below). |
| */ |
| @Test |
| public void testGoodCribLineWrap() throws Exception { |
| final String USER_LONG = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" |
| + "abcdefghijklmnopqrstuvwxyz0123456789+/AAAABBBBCCCC" |
| + "DDDD"; // 80 characters |
| final String BASE64_CRIB = "QUJDREVGR0hJSktMTU5PUFFSU1RVVldY" |
| + "WVphYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ejAxMjM0" |
| + "\n" + "NTY3ODkrL0FBQUFCQkJCQ0NDQ0REREQ="; |
| final BasicAuthHeader AUTH_HEADER = |
| new BasicAuthHeader(NICE_METHOD, BASE64_CRIB); |
| BasicAuthenticator.BasicCredentials credentials = |
| new BasicAuthenticator.BasicCredentials( |
| AUTH_HEADER.getHeader()); |
| Assert.assertEquals(USER_LONG, credentials.getUsername()); |
| } |
| |
| /* |
| * RFC 2045 says the Base64 encoded string should be represented |
| * as lines of no more than 76 characters. However, RFC 2617 |
| * says a base64-user-pass token is not limited to 76 char/line. |
| */ |
| @Test |
| public void testGoodCribBase64Big() throws Exception { |
| // Our decoder accepts a long token without complaint. |
| final String USER_LONG = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" |
| + "abcdefghijklmnopqrstuvwxyz0123456789+/AAAABBBBCCCC" |
| + "DDDD"; // 80 characters |
| final String BASE64_CRIB = "QUJDREVGR0hJSktMTU5PUFFSU1RVVldY" |
| + "WVphYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ejAxMjM0" |
| + "NTY3ODkrL0FBQUFCQkJCQ0NDQ0REREQ="; // no new line |
| final BasicAuthHeader AUTH_HEADER = |
| new BasicAuthHeader(NICE_METHOD, BASE64_CRIB); |
| BasicAuthenticator.BasicCredentials credentials = |
| new BasicAuthenticator.BasicCredentials( |
| AUTH_HEADER.getHeader()); |
| Assert.assertEquals(USER_LONG, credentials.getUsername()); |
| } |
| |
| |
| /* |
| * verify the parser follows RFC2617 by treating the auth-scheme |
| * token as case-insensitive. |
| */ |
| @Test |
| public void testAuthMethodCaseBasic() throws Exception { |
| final String METHOD = "bAsIc"; |
| final BasicAuthHeader AUTH_HEADER = |
| new BasicAuthHeader(METHOD, USER_NAME, PASSWORD); |
| BasicAuthenticator.BasicCredentials credentials = |
| new BasicAuthenticator.BasicCredentials( |
| AUTH_HEADER.getHeader()); |
| Assert.assertEquals(USER_NAME, credentials.getUsername()); |
| Assert.assertEquals(PASSWORD, credentials.getPassword()); |
| } |
| |
| /* |
| * Confirm the Basic parser rejects an invalid authentication method. |
| */ |
| @Test |
| public void testAuthMethodBadMethod() throws Exception { |
| final String METHOD = "BadMethod"; |
| final BasicAuthHeader AUTH_HEADER = |
| new BasicAuthHeader(METHOD, USER_NAME, PASSWORD); |
| @SuppressWarnings("unused") |
| BasicAuthenticator.BasicCredentials credentials = null; |
| try { |
| credentials = new BasicAuthenticator.BasicCredentials( |
| AUTH_HEADER.getHeader()); |
| Assert.fail("IllegalArgumentException expected"); |
| } |
| catch (Exception e) { |
| Assert.assertTrue(e instanceof IllegalArgumentException); |
| Assert.assertTrue(e.getMessage().contains("header method")); |
| } |
| } |
| |
| /* |
| * Confirm the Basic parser tolerates excess white space after |
| * the authentication method. |
| * |
| * RFC2617 does not define the separation syntax between the auth-scheme |
| * and basic-credentials tokens. Tomcat tolerates any amount of white |
| * (within the limits of HTTP header sizes). |
| */ |
| @Test |
| public void testAuthMethodExtraLeadingSpace() throws Exception { |
| final BasicAuthHeader AUTH_HEADER = |
| new BasicAuthHeader(NICE_METHOD + " ", USER_NAME, PASSWORD); |
| final BasicAuthenticator.BasicCredentials credentials = |
| new BasicAuthenticator.BasicCredentials( |
| AUTH_HEADER.getHeader()); |
| Assert.assertEquals(USER_NAME, credentials.getUsername()); |
| Assert.assertEquals(PASSWORD, credentials.getPassword()); |
| } |
| |
| |
| /* |
| * invalid decoded credentials cases |
| */ |
| @Test |
| public void testWrongPassword() throws Exception { |
| final String PWD_WRONG = "wrong"; |
| final BasicAuthHeader AUTH_HEADER = |
| new BasicAuthHeader(NICE_METHOD, USER_NAME, PWD_WRONG); |
| BasicAuthenticator.BasicCredentials credentials = |
| new BasicAuthenticator.BasicCredentials( |
| AUTH_HEADER.getHeader()); |
| Assert.assertEquals(USER_NAME, credentials.getUsername()); |
| Assert.assertNotSame(PASSWORD, credentials.getPassword()); |
| } |
| |
| @Test |
| public void testMissingUsername() throws Exception { |
| final String EMPTY_USER_NAME = ""; |
| final BasicAuthHeader AUTH_HEADER = |
| new BasicAuthHeader(NICE_METHOD, EMPTY_USER_NAME, PASSWORD); |
| BasicAuthenticator.BasicCredentials credentials = |
| new BasicAuthenticator.BasicCredentials( |
| AUTH_HEADER.getHeader()); |
| Assert.assertEquals(EMPTY_USER_NAME, credentials.getUsername()); |
| Assert.assertEquals(PASSWORD, credentials.getPassword()); |
| } |
| |
| @Test |
| public void testShortUsername() throws Exception { |
| final String SHORT_USER_NAME = "a"; |
| final BasicAuthHeader AUTH_HEADER = |
| new BasicAuthHeader(NICE_METHOD, SHORT_USER_NAME, PASSWORD); |
| BasicAuthenticator.BasicCredentials credentials = |
| new BasicAuthenticator.BasicCredentials( |
| AUTH_HEADER.getHeader()); |
| Assert.assertEquals(SHORT_USER_NAME, credentials.getUsername()); |
| Assert.assertEquals(PASSWORD, credentials.getPassword()); |
| } |
| |
| @Test |
| public void testShortPassword() throws Exception { |
| final String SHORT_PASSWORD = "a"; |
| final BasicAuthHeader AUTH_HEADER = |
| new BasicAuthHeader(NICE_METHOD, USER_NAME, SHORT_PASSWORD); |
| BasicAuthenticator.BasicCredentials credentials = |
| new BasicAuthenticator.BasicCredentials( |
| AUTH_HEADER.getHeader()); |
| Assert.assertEquals(USER_NAME, credentials.getUsername()); |
| Assert.assertEquals(SHORT_PASSWORD, credentials.getPassword()); |
| } |
| |
| @Test |
| public void testPasswordHasSpaceEmbedded() throws Exception { |
| final String PASSWORD_SPACE = "abc def"; |
| final BasicAuthHeader AUTH_HEADER = |
| new BasicAuthHeader(NICE_METHOD, USER_NAME, PASSWORD_SPACE); |
| BasicAuthenticator.BasicCredentials credentials = |
| new BasicAuthenticator.BasicCredentials( |
| AUTH_HEADER.getHeader()); |
| Assert.assertEquals(USER_NAME, credentials.getUsername()); |
| Assert.assertEquals(PASSWORD_SPACE, credentials.getPassword()); |
| } |
| |
| @Test |
| public void testPasswordHasColonEmbedded() throws Exception { |
| final String PASSWORD_COLON = "abc:def"; |
| final BasicAuthHeader AUTH_HEADER = |
| new BasicAuthHeader(NICE_METHOD, USER_NAME, PASSWORD_COLON); |
| BasicAuthenticator.BasicCredentials credentials = |
| new BasicAuthenticator.BasicCredentials( |
| AUTH_HEADER.getHeader()); |
| Assert.assertEquals(USER_NAME, credentials.getUsername()); |
| Assert.assertEquals(PASSWORD_COLON, credentials.getPassword()); |
| } |
| |
| @Test |
| public void testPasswordHasColonLeading() throws Exception { |
| final String PASSWORD_COLON = ":abcdef"; |
| final BasicAuthHeader AUTH_HEADER = |
| new BasicAuthHeader(NICE_METHOD, USER_NAME, PASSWORD_COLON); |
| BasicAuthenticator.BasicCredentials credentials = |
| new BasicAuthenticator.BasicCredentials( |
| AUTH_HEADER.getHeader()); |
| Assert.assertEquals(USER_NAME, credentials.getUsername()); |
| Assert.assertEquals(PASSWORD_COLON, credentials.getPassword()); |
| } |
| |
| @Test |
| public void testPasswordHasColonTrailing() throws Exception { |
| final String PASSWORD_COLON = "abcdef:"; |
| final BasicAuthHeader AUTH_HEADER = |
| new BasicAuthHeader(NICE_METHOD, USER_NAME, PASSWORD_COLON); |
| BasicAuthenticator.BasicCredentials credentials = |
| new BasicAuthenticator.BasicCredentials( |
| AUTH_HEADER.getHeader()); |
| Assert.assertEquals(USER_NAME, credentials.getUsername()); |
| Assert.assertEquals(PASSWORD_COLON, credentials.getPassword()); |
| } |
| |
| /* |
| * Confirm the Basic parser tolerates excess white space after |
| * the base64 blob. |
| * |
| * RFC2617 does not define this case, but asks servers to be |
| * tolerant of this kind of client deviation. |
| */ |
| @Test |
| public void testAuthMethodExtraTrailingSpace() throws Exception { |
| final BasicAuthHeader AUTH_HEADER = |
| new BasicAuthHeader(NICE_METHOD, USER_NAME, PASSWORD, " "); |
| BasicAuthenticator.BasicCredentials credentials = |
| new BasicAuthenticator.BasicCredentials( |
| AUTH_HEADER.getHeader()); |
| Assert.assertEquals(USER_NAME, credentials.getUsername()); |
| Assert.assertEquals(PASSWORD, credentials.getPassword()); |
| } |
| |
| /* |
| * Confirm the Basic parser tolerates excess white space around |
| * the username inside the base64 blob. |
| * |
| * RFC2617 does not define the separation syntax between the auth-scheme |
| * and basic-credentials tokens. Tomcat should tolerate any reasonable |
| * amount of white space. |
| */ |
| @Test |
| public void testUserExtraSpace() throws Exception { |
| final BasicAuthHeader AUTH_HEADER = |
| new BasicAuthHeader(NICE_METHOD, " " + USER_NAME + " ", PASSWORD); |
| BasicAuthenticator.BasicCredentials credentials = |
| new BasicAuthenticator.BasicCredentials( |
| AUTH_HEADER.getHeader()); |
| Assert.assertEquals(USER_NAME, credentials.getUsername()); |
| Assert.assertEquals(PASSWORD, credentials.getPassword()); |
| } |
| |
| /* |
| * Confirm the Basic parser tolerates excess white space around |
| * the username within the base64 blob. |
| * |
| * RFC2617 does not define the separation syntax between the auth-scheme |
| * and basic-credentials tokens. Tomcat should tolerate any reasonable |
| * amount of white space. |
| */ |
| @Test |
| public void testPasswordExtraSpace() throws Exception { |
| final BasicAuthHeader AUTH_HEADER = |
| new BasicAuthHeader(NICE_METHOD, USER_NAME, " " + PASSWORD + " "); |
| BasicAuthenticator.BasicCredentials credentials = |
| new BasicAuthenticator.BasicCredentials( |
| AUTH_HEADER.getHeader()); |
| Assert.assertEquals(USER_NAME, credentials.getUsername()); |
| Assert.assertEquals(PASSWORD, credentials.getPassword()); |
| } |
| |
| |
| /* |
| * invalid base64 string tests |
| * |
| * Refer to RFC2045 section 6.8. |
| */ |
| |
| /* |
| * non-trailing "=" should trigger premature termination of the |
| * decoder, returning a truncated string that will eventually |
| * result in an authentication Assert.failure. |
| */ |
| @Test |
| public void testBadBase64InlineEquals() throws Exception { |
| final String BASE64_CRIB = "dXNlcmlkOnNlY3J=dAo="; |
| final String TRUNCATED_PWD = "secr"; |
| final BasicAuthHeader AUTH_HEADER = |
| new BasicAuthHeader(NICE_METHOD, BASE64_CRIB); |
| BasicAuthenticator.BasicCredentials credentials = |
| new BasicAuthenticator.BasicCredentials( |
| AUTH_HEADER.getHeader()); |
| Assert.assertEquals(USER_NAME, credentials.getUsername()); |
| Assert.assertNotSame(PASSWORD, credentials.getPassword()); |
| Assert.assertEquals(TRUNCATED_PWD, credentials.getPassword()); |
| } |
| |
| /* |
| * "-" is not a legal base64 character. The RFC says it must be |
| * ignored by the decoder. This will scramble the decoded string |
| * and eventually result in an authentication Assert.failure. |
| */ |
| @Test |
| public void testBadBase64Char() throws Exception { |
| final String BASE64_CRIB = "dXNlcmlkOnNl-3JldHM="; |
| final BasicAuthHeader AUTH_HEADER = |
| new BasicAuthHeader(NICE_METHOD, BASE64_CRIB); |
| BasicAuthenticator.BasicCredentials credentials = |
| new BasicAuthenticator.BasicCredentials( |
| AUTH_HEADER.getHeader()); |
| Assert.assertEquals(USER_NAME, credentials.getUsername()); |
| Assert.assertNotSame(PASSWORD, credentials.getPassword()); |
| } |
| |
| /* |
| * "-" is not a legal base64 character. The RFC says it must be |
| * ignored by the decoder. This is a very strange case because the |
| * next character is a pad, which terminates the string normally. |
| * It is likely (but not certain) the decoded password will be |
| * damaged and subsequent authentication will fail. |
| */ |
| @Test |
| public void testBadBase64LastChar() throws Exception { |
| final String BASE64_CRIB = "dXNlcmlkOnNlY3JldA-="; |
| final String POSSIBLY_DAMAGED_PWD = "secret"; |
| final BasicAuthHeader AUTH_HEADER = |
| new BasicAuthHeader(NICE_METHOD, BASE64_CRIB); |
| BasicAuthenticator.BasicCredentials credentials = |
| new BasicAuthenticator.BasicCredentials( |
| AUTH_HEADER.getHeader()); |
| Assert.assertEquals(USER_NAME, credentials.getUsername()); |
| Assert.assertEquals(POSSIBLY_DAMAGED_PWD, credentials.getPassword()); |
| } |
| |
| /* |
| * The trailing third "=" is illegal. However, the RFC says the decoder |
| * must terminate as soon as the first pad is detected, so no error |
| * will be detected unless the payload has been damaged in some way. |
| */ |
| @Test |
| public void testBadBase64TooManyEquals() throws Exception { |
| final String BASE64_CRIB = "dXNlcmlkOnNlY3JldA==="; |
| final BasicAuthHeader AUTH_HEADER = |
| new BasicAuthHeader(NICE_METHOD, BASE64_CRIB); |
| BasicAuthenticator.BasicCredentials credentials = |
| new BasicAuthenticator.BasicCredentials( |
| AUTH_HEADER.getHeader()); |
| Assert.assertEquals(USER_NAME, credentials.getUsername()); |
| Assert.assertEquals(PASSWORD, credentials.getPassword()); |
| } |
| |
| /* |
| * there should be a multiple of 4 encoded characters. However, |
| * the RFC says the decoder should pad the input string with |
| * zero bits out to the next boundary. An error will not be detected |
| * unless the payload has been damaged in some way - this |
| * particular crib has no damage. |
| */ |
| @Test |
| public void testBadBase64BadLength() throws Exception { |
| final String BASE64_CRIB = "dXNlcmlkOnNlY3JldA"; |
| final BasicAuthHeader AUTH_HEADER = |
| new BasicAuthHeader(NICE_METHOD, BASE64_CRIB); |
| BasicAuthenticator.BasicCredentials credentials = |
| new BasicAuthenticator.BasicCredentials( |
| AUTH_HEADER.getHeader()); |
| Assert.assertEquals(USER_NAME, credentials.getUsername()); |
| Assert.assertEquals(PASSWORD, credentials.getPassword()); |
| } |
| |
| |
| /* |
| * Encapsulate the logic to generate an HTTP header |
| * for BASIC Authentication. |
| * Note: only used internally, so no need to validate arguments. |
| */ |
| private final class BasicAuthHeader { |
| |
| private final String HTTP_AUTH = "authorization: "; |
| private final byte[] HEADER = |
| HTTP_AUTH.getBytes(StandardCharsets.ISO_8859_1); |
| private ByteChunk authHeader; |
| private int initialOffset = 0; |
| |
| /* |
| * This method creates a valid base64 blob |
| */ |
| private BasicAuthHeader(String method, String username, |
| String password) { |
| this(method, username, password, null); |
| } |
| |
| /* |
| * This method creates valid base64 blobs with optional trailing data |
| */ |
| private BasicAuthHeader(String method, String username, |
| String password, String extraBlob) { |
| prefix(method); |
| |
| String userCredentials = |
| ((password == null) || (password.length() < 1)) |
| ? username |
| : username + ":" + password; |
| byte[] credentialsBytes = |
| userCredentials.getBytes(StandardCharsets.ISO_8859_1); |
| String base64auth = Base64.encodeBase64String(credentialsBytes); |
| byte[] base64Bytes = |
| base64auth.getBytes(StandardCharsets.ISO_8859_1); |
| |
| byte[] extraBytes = |
| ((extraBlob == null) || (extraBlob.length() < 1)) |
| ? null : |
| extraBlob.getBytes(StandardCharsets.ISO_8859_1); |
| |
| try { |
| authHeader.append(base64Bytes, 0, base64Bytes.length); |
| if (extraBytes != null) { |
| authHeader.append(extraBytes, 0, extraBytes.length); |
| } |
| } |
| catch (IOException ioe) { |
| throw new IllegalStateException("unable to extend ByteChunk:" |
| + ioe.getMessage()); |
| } |
| // emulate tomcat server - offset points to method in header |
| authHeader.setOffset(initialOffset); |
| } |
| |
| /* |
| * This method allows injection of cribbed base64 blobs, |
| * without any validation of the contents |
| */ |
| private BasicAuthHeader(String method, String fakeBase64) { |
| prefix(method); |
| |
| byte[] fakeBytes = fakeBase64.getBytes(StandardCharsets.ISO_8859_1); |
| |
| try { |
| authHeader.append(fakeBytes, 0, fakeBytes.length); |
| } |
| catch (IOException ioe) { |
| throw new IllegalStateException("unable to extend ByteChunk:" |
| + ioe.getMessage()); |
| } |
| // emulate tomcat server - offset points to method in header |
| authHeader.setOffset(initialOffset); |
| } |
| |
| /* |
| * construct the common authorization header |
| */ |
| private void prefix(String method) { |
| authHeader = new ByteChunk(); |
| authHeader.setBytes(HEADER, 0, HEADER.length); |
| initialOffset = HEADER.length; |
| |
| String methodX = method + " "; |
| byte[] methodBytes = methodX.getBytes(StandardCharsets.ISO_8859_1); |
| |
| try { |
| authHeader.append(methodBytes, 0, methodBytes.length); |
| } |
| catch (IOException ioe) { |
| throw new IllegalStateException("unable to extend ByteChunk:" |
| + ioe.getMessage()); |
| } |
| } |
| |
| private ByteChunk getHeader() { |
| return authHeader; |
| } |
| } |
| } |
