diff --git a/components/org.wso2.micro.integrator.extensions/org.wso2.micro.integrator.management.apis/src/main/java/org/wso2/micro/integrator/management/apis/Constants.java b/components/org.wso2.micro.integrator.extensions/org.wso2.micro.integrator.management.apis/src/main/java/org/wso2/micro/integrator/management/apis/Constants.java index c9a6f22217..2865a24d42 100644 --- a/components/org.wso2.micro.integrator.extensions/org.wso2.micro.integrator.management.apis/src/main/java/org/wso2/micro/integrator/management/apis/Constants.java +++ b/components/org.wso2.micro.integrator.extensions/org.wso2.micro.integrator.management.apis/src/main/java/org/wso2/micro/integrator/management/apis/Constants.java @@ -237,5 +237,6 @@ public class Constants { // Searching constants public static final String SEARCH_KEY = "searchKey"; + public static final Character BASIC_AUTH_SEPARATOR_CHAR = ':'; } diff --git a/components/org.wso2.micro.integrator.extensions/org.wso2.micro.integrator.management.apis/src/main/java/org/wso2/micro/integrator/management/apis/UsersResource.java b/components/org.wso2.micro.integrator.extensions/org.wso2.micro.integrator.management.apis/src/main/java/org/wso2/micro/integrator/management/apis/UsersResource.java index 6a63f01a51..aa92fb232c 100644 --- a/components/org.wso2.micro.integrator.extensions/org.wso2.micro.integrator.management.apis/src/main/java/org/wso2/micro/integrator/management/apis/UsersResource.java +++ b/components/org.wso2.micro.integrator.extensions/org.wso2.micro.integrator.management.apis/src/main/java/org/wso2/micro/integrator/management/apis/UsersResource.java @@ -48,6 +48,7 @@ import static org.wso2.micro.integrator.management.apis.Constants.ROLE; import static org.wso2.micro.integrator.management.apis.Constants.SEARCH_KEY; import static org.wso2.micro.integrator.management.apis.Constants.STATUS; +import static org.wso2.micro.integrator.management.apis.Constants.BASIC_AUTH_SEPARATOR_CHAR; /** * Resource for a retrieving and adding users. *

@@ -187,13 +188,17 @@ private JSONObject handlePost(MessageContext messageContext, JsonObject payload = Utils.getJsonPayload(axis2MessageContext); boolean isAdmin = false; if (payload.has(USER_ID) && payload.has(PASSWORD)) { + String user = payload.get(USER_ID).getAsString(); + // validate username + if (user == null || user.isEmpty() || user.indexOf(BASIC_AUTH_SEPARATOR_CHAR) != -1) { + throw new IOException("Invalid username"); + } String[] roleList = null; if (payload.has(IS_ADMIN) && payload.get(IS_ADMIN).getAsBoolean()) { String adminRole = Utils.getRealmConfiguration().getAdminRoleName(); roleList = new String[]{adminRole}; isAdmin = payload.get(IS_ADMIN).getAsBoolean(); } - String user = payload.get(USER_ID).getAsString(); String domain = null; if (payload.has(DOMAIN) ) { domain = payload.get(DOMAIN).getAsString(); diff --git a/components/org.wso2.micro.integrator.extensions/org.wso2.micro.integrator.management.apis/src/main/java/org/wso2/micro/integrator/management/apis/security/handler/AuthenticationHandlerAdapter.java b/components/org.wso2.micro.integrator.extensions/org.wso2.micro.integrator.management.apis/src/main/java/org/wso2/micro/integrator/management/apis/security/handler/AuthenticationHandlerAdapter.java index 5fd6de6ad5..e2fe7c3e95 100644 --- a/components/org.wso2.micro.integrator.extensions/org.wso2.micro.integrator.management.apis/src/main/java/org/wso2/micro/integrator/management/apis/security/handler/AuthenticationHandlerAdapter.java +++ b/components/org.wso2.micro.integrator.extensions/org.wso2.micro.integrator.management.apis/src/main/java/org/wso2/micro/integrator/management/apis/security/handler/AuthenticationHandlerAdapter.java @@ -148,8 +148,10 @@ boolean processAuthRequestWithFileBasedUserStore(MessageContext messageContext, private String[] extractDetails(String token) { String decodedCredentials = new String(new Base64().decode(token.getBytes())); - String[] usernamePasswordArray = decodedCredentials.split(":"); - if (usernamePasswordArray.length != 2) { + // everything before the first colon can be considered as the username + // since RFC-2617 specifies that username cannot contain a colon. + String[] usernamePasswordArray = decodedCredentials.split(":",2); + if (usernamePasswordArray.length < 2) { return new String[] {}; } return new String[] { usernamePasswordArray[0], usernamePasswordArray[1] };