Skip to content

"Basic" authentication scheme name should be case insenstive #5586

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jeroenheijmans opened this issue Jul 26, 2018 · 1 comment
Closed

"Basic" authentication scheme name should be case insenstive #5586

jeroenheijmans opened this issue Jul 26, 2018 · 1 comment
Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug
Milestone
5.0.8

Comments

@jeroenheijmans
Copy link

jeroenheijmans commented Jul 26, 2018
edited
Loading

In an issue in a client side OAuth2 framework (angular-oauth2-oidc) it was noted that Spring Security does a case sensitive comparison (I think, in this line) for the string "Basic ".

I'm unsure if I referred to the correct RFC, but in RFC 7617 section 2 it is noted that the scheme name should be matched case insensitively (even though all examples use "Basic" as the spelling).

Just for reference (and to double check my hunch), IdentityServer4 (from the .NET ecosystem) seems to do it case insensitively.

Perhaps someone more knowledgeable than I can double check my thoughts, but if I'm right then I think it would be good to make the check ignore case in Spring Security too.
@rwinch rwinch added this to the 5.0.8 milestone Jul 26, 2018
@rwinch rwinch added in: web An issue in web modules (web, webmvc) type: bug A general bug labels Jul 26, 2018
@rwinch rwinch changed the title Case sensitivity for "Basic" authentication "Basic" authentication scheme name should be case insenstive Jul 31, 2018
@rwinch rwinch closed this as completed in e3d4d66 Jul 31, 2018
This was referenced Jul 31, 2018
Closed
Closed
@rwinch
Copy link
Member

rwinch commented Jul 31, 2018

Thanks for the report! A fix is now in master, 5.0.x, and 4.2.x

@jzheaux jzheaux mentioned this issue Nov 29, 2018
Merged
@jgrandja jgrandja mentioned this issue Dec 4, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug
Projects
None yet
Milestone
5.0.8
Development

No branches or pull requests
2 participants
@rwinch @jeroenheijmans