Add changes to allow colon in password

Add changed to allow colon in the password according to RFC-2617 Avoid adding new users with colon in the username Fixes /issues/3047
wso2 · Dec 8, 2023 · 381564f · 381564f
1 parent 40b20ef
commit 381564f
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 3 deletions.
diff --git a/...or.management.apis/src/main/java/org/wso2/micro/integrator/management/apis/Constants.java b/...or.management.apis/src/main/java/org/wso2/micro/integrator/management/apis/Constants.java
@@ -237,5 +237,6 @@ public class Constants {
 
     // Searching constants
     public static final String SEARCH_KEY = "searchKey";
+    public static final Character BASIC_AUTH_SEPARATOR_CHAR = ':';
 
 }
diff --git a/...anagement.apis/src/main/java/org/wso2/micro/integrator/management/apis/UsersResource.java b/...anagement.apis/src/main/java/org/wso2/micro/integrator/management/apis/UsersResource.java
@@ -48,6 +48,7 @@
 import static org.wso2.micro.integrator.management.apis.Constants.ROLE;
 import static org.wso2.micro.integrator.management.apis.Constants.SEARCH_KEY;
 import static org.wso2.micro.integrator.management.apis.Constants.STATUS;
+import static org.wso2.micro.integrator.management.apis.Constants.BASIC_AUTH_SEPARATOR_CHAR;
 /**
  * Resource for a retrieving and adding users.
  * <p>
@@ -187,13 +188,17 @@ private JSONObject handlePost(MessageContext messageContext,
         JsonObject payload = Utils.getJsonPayload(axis2MessageContext);
         boolean isAdmin = false;
         if (payload.has(USER_ID) && payload.has(PASSWORD)) {
+            String user = payload.get(USER_ID).getAsString();
+            // validate username
+            if (user == null || user.isEmpty() || user.indexOf(BASIC_AUTH_SEPARATOR_CHAR) != -1) {
+                throw new IOException("Invalid username");
+            }
             String[] roleList = null;
             if (payload.has(IS_ADMIN) && payload.get(IS_ADMIN).getAsBoolean()) {
                 String adminRole = Utils.getRealmConfiguration().getAdminRoleName();
                 roleList = new String[]{adminRole};
                 isAdmin = payload.get(IS_ADMIN).getAsBoolean();
             }
-            String user = payload.get(USER_ID).getAsString();
             String domain = null;
             if (payload.has(DOMAIN) ) {
                 domain = payload.get(DOMAIN).getAsString();

diff --git a/.../wso2/micro/integrator/management/apis/security/handler/AuthenticationHandlerAdapter.java b/.../wso2/micro/integrator/management/apis/security/handler/AuthenticationHandlerAdapter.java
@@ -148,8 +148,10 @@ boolean processAuthRequestWithFileBasedUserStore(MessageContext messageContext,
     private String[] extractDetails(String token) {
 
         String decodedCredentials = new String(new Base64().decode(token.getBytes()));
-        String[] usernamePasswordArray = decodedCredentials.split(":");
-        if (usernamePasswordArray.length != 2) {
+        // everything before the first colon can be considered as the username
+        // since RFC-2617 specifies that username cannot contain a colon.
+        String[] usernamePasswordArray = decodedCredentials.split(":",2);
+        if (usernamePasswordArray.length < 2) {
             return new String[] {};
         }
         return new String[] { usernamePasswordArray[0], usernamePasswordArray[1] };