Use utf-8 in ServerHttpBasicAuthenticationConverter

frozenice · frozenice · commit b633cb2f833e · 2022-02-25T20:05:47.000+01:00
diff --git a/web/src/main/java/org/springframework/security/web/server/ServerHttpBasicAuthenticationConverter.java b/web/src/main/java/org/springframework/security/web/server/ServerHttpBasicAuthenticationConverter.java
@@ -16,6 +16,7 @@
 
 package org.springframework.security.web.server;
 
+import java.nio.charset.StandardCharsets;
 import java.util.Base64;
 import java.util.function.Function;
 
@@ -51,9 +52,8 @@ public Mono<Authentication> apply(ServerWebExchange exchange) {
 		if (!StringUtils.startsWithIgnoreCase(authorization, "basic ")) {
 			return Mono.empty();
 		}
-		String credentials = (authorization.length() <= BASIC.length()) ? ""
-				: authorization.substring(BASIC.length(), authorization.length());
-		String decoded = new String(base64Decode(credentials));
+		String credentials = (authorization.length() <= BASIC.length()) ? "" : authorization.substring(BASIC.length());
+		String decoded = new String(base64Decode(credentials), StandardCharsets.UTF_8);
 		String[] parts = decoded.split(":", 2);
 		if (parts.length != 2) {
 			return Mono.empty();
diff --git a/web/src/test/java/org/springframework/security/web/server/authentication/ServerHttpBasicAuthenticationConverterTests.java b/web/src/test/java/org/springframework/security/web/server/authentication/ServerHttpBasicAuthenticationConverterTests.java
@@ -62,7 +62,7 @@ public void applyWhenNotBase64ThenEmpty() {
 	}
 
 	@Test
-	public void applyWhenNoSemicolonThenEmpty() {
+	public void applyWhenNoColonThenEmpty() {
 		Mono<Authentication> result = apply(this.request.header(HttpHeaders.AUTHORIZATION, "Basic dXNlcg=="));
 		assertThat(result.block()).isNull();
 	}
@@ -104,6 +104,16 @@ public void applyWhenWrongSchemeThenEmpty() {
 		assertThat(result.block()).isNull();
 	}
 
+	@Test
+	public void applyWhenNonAsciiThenAuthentication() {
+		Mono<Authentication> result = apply(
+				this.request.header(HttpHeaders.AUTHORIZATION, "Basic w7xzZXI6cGFzc3fDtnJk"));
+		UsernamePasswordAuthenticationToken authentication = result.cast(UsernamePasswordAuthenticationToken.class)
+				.block();
+		assertThat(authentication.getPrincipal()).isEqualTo("üser");
+		assertThat(authentication.getCredentials()).isEqualTo("passwörd");
+	}
+
 	private Mono<Authentication> apply(MockServerHttpRequest.BaseBuilder<?> request) {
 		return this.converter.convert(MockServerWebExchange.from(this.request.build()));
 	}

Original file line number	Diff line number	Diff line change
`@@ -62,7 +62,7 @@ public void applyWhenNotBase64ThenEmpty() {`
`62`	`62`	`}`
`63`	`63`
`64`	`64`	`@Test`
`65`		`- public void applyWhenNoSemicolonThenEmpty() {`
	`65`	`+ public void applyWhenNoColonThenEmpty() {`
`66`	`66`	`Mono<Authentication> result = apply(this.request.header(HttpHeaders.AUTHORIZATION, "Basic dXNlcg=="));`
`67`	`67`	`assertThat(result.block()).isNull();`
`68`	`68`	`}`
`@@ -104,6 +104,16 @@ public void applyWhenWrongSchemeThenEmpty() {`
`104`	`104`	`assertThat(result.block()).isNull();`
`105`	`105`	`}`
`106`	`106`
	`107`	`+ @Test`
	`108`	`+ public void applyWhenNonAsciiThenAuthentication() {`
	`109`	`+ Mono<Authentication> result = apply(`
	`110`	`+ this.request.header(HttpHeaders.AUTHORIZATION, "Basic w7xzZXI6cGFzc3fDtnJk"));`
	`111`	`+ UsernamePasswordAuthenticationToken authentication = result.cast(UsernamePasswordAuthenticationToken.class)`
	`112`	`+ .block();`
	`113`	`+ assertThat(authentication.getPrincipal()).isEqualTo("üser");`
	`114`	`+ assertThat(authentication.getCredentials()).isEqualTo("passwörd");`
	`115`	`+ }`
	`116`	`+`
`107`	`117`	`private Mono<Authentication> apply(MockServerHttpRequest.BaseBuilder<?> request) {`
`108`	`118`	`return this.converter.convert(MockServerWebExchange.from(this.request.build()));`
`109`	`119`	`}`