Make credentialsCharset in ServerHttpBasicAuthenticationConverter configurable

Author: frozenice

web/src/main/java/org/springframework/security/web/server/ServerHttpBasicAuthenticationConverter.java

@@ -16,6 +16,7 @@
 
 package org.springframework.security.web.server;
 
+import java.nio.charset.Charset;
 import java.nio.charset.StandardCharsets;
 import java.util.Base64;
 import java.util.function.Function;
@@ -26,6 +27,7 @@
 import org.springframework.http.server.reactive.ServerHttpRequest;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
+import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
 import org.springframework.web.server.ServerWebExchange;
 
@@ -44,6 +46,8 @@ public class ServerHttpBasicAuthenticationConverter implements Function<ServerWe
 
 	public static final String BASIC = "Basic ";
 
+	private Charset credentialsCharset = StandardCharsets.UTF_8;
+
 	@Override
 	@Deprecated
 	public Mono<Authentication> apply(ServerWebExchange exchange) {
@@ -53,7 +57,7 @@ public Mono<Authentication> apply(ServerWebExchange exchange) {
 			return Mono.empty();
 		}
 		String credentials = (authorization.length() <= BASIC.length()) ? "" : authorization.substring(BASIC.length());
-		String decoded = new String(base64Decode(credentials), StandardCharsets.UTF_8);
+		String decoded = new String(base64Decode(credentials), this.credentialsCharset);
 		String[] parts = decoded.split(":", 2);
 		if (parts.length != 2) {
 			return Mono.empty();
@@ -70,4 +74,13 @@ private byte[] base64Decode(String value) {
 		}
 	}
 
+	public Charset getCredentialsCharset() {
+		return this.credentialsCharset;
+	}
+
+	public void setCredentialsCharset(Charset credentialsCharset) {
+		Assert.notNull(credentialsCharset, "credentialsCharset cannot be null");
+		this.credentialsCharset = credentialsCharset;
+	}
+
 }

web/src/test/java/org/springframework/security/web/server/authentication/ServerHttpBasicAuthenticationConverterTests.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.web.server.authentication;
 
+import java.nio.charset.StandardCharsets;
+
 import org.junit.jupiter.api.Test;
 import reactor.core.publisher.Mono;
 
@@ -114,6 +116,28 @@ public void applyWhenNonAsciiThenAuthentication() {
 		assertThat(authentication.getCredentials()).isEqualTo("passwörd");
 	}
 
+	@Test
+	public void applyWhenIsoOnlyAsciiThenAuthentication() {
+		this.converter.setCredentialsCharset(StandardCharsets.ISO_8859_1);
+		Mono<Authentication> result = apply(
+				this.request.header(HttpHeaders.AUTHORIZATION, "Basic dXNlcjpwYXNzd29yZA=="));
+		UsernamePasswordAuthenticationToken authentication = result.cast(UsernamePasswordAuthenticationToken.class)
+				.block();
+		assertThat(authentication.getPrincipal()).isEqualTo("user");
+		assertThat(authentication.getCredentials()).isEqualTo("password");
+	}
+
+	@Test
+	public void applyWhenIsoNonAsciiThenAuthentication() {
+		this.converter.setCredentialsCharset(StandardCharsets.ISO_8859_1);
+		Mono<Authentication> result = apply(
+				this.request.header(HttpHeaders.AUTHORIZATION, "Basic /HNlcjpwYXNzd/ZyZA=="));
+		UsernamePasswordAuthenticationToken authentication = result.cast(UsernamePasswordAuthenticationToken.class)
+				.block();
+		assertThat(authentication.getPrincipal()).isEqualTo("üser");
+		assertThat(authentication.getCredentials()).isEqualTo("passwörd");
+	}
+
 	private Mono<Authentication> apply(MockServerHttpRequest.BaseBuilder<?> request) {
 		return this.converter.convert(MockServerWebExchange.from(this.request.build()));
 	}