colons in basic auth passwords with WS LDAP doesnt work

 

 

  3:39 PM
We think we've found something of a bug with 2.5.60 after an upgrade yesterday.  When an API user authenticates using HTTP basic, and they have a colon in their password, grouper seems to be parsing the authentication information incorrectly.
For example, if I'm authenticating using the (base64 encoding of) tfinney:What:ever123, it thinks that the password is What, instead of What:ever123.
Do you know offhand if this is a known issue and, if not, what's the optimal way to report it?

 

 

 

Chris Hyzer  5:33 PM
does this help?
https://todos.internet2.edu/browse/GRP-3163

  5:38 PM
probably, thanks.

  11:57 AM
Or not.
We tried the
grouper.authentication.splitBasicAuthOnFirstColon = false 
As far as we can tell, this only does anything if you're using Grouper's internal authentication database.  We're using LDAP for that.
edu.internet2.middleware.grouper.ws.security.WsGrouperLdapAuthntication calls
      String user = GrouperUtil.prefixOrSuffix(unencodedString, ":", true);
      String pass = GrouperUtil.prefixOrSuffix(unencodedString, ":", false);
to break username:password up.  GrouperUtil,prefixOrSuffix does:
  public static String prefixOrSuffix(String startString, String separator, boolean isPrefix) {
    String prefixOrSuffix = null;
    if (startString == null)
      return startString; 
    int separatorIndex = isPrefix ? startString.indexOf(separator) : startString.lastIndexOf(separator);
    if (separatorIndex == -1)
      return startString; 
    int separatorLength = separator.length();
    if (isPrefix)

{       prefixOrSuffix = startString.substring(0, separatorIndex);     }

else

{       prefixOrSuffix = startString.substring(separatorIndex + separatorLength, startString           .length());     }

 
    return prefixOrSuffix;
which takes everything up to the first : for the username and everything after the last colon the password.
so user:secretpass:word
would get turned into user and word, not user and secretpass:word

Chris Hyzer  1:23 PM
can you try escaping the colon as it says in the jira?
1:23
or setting a pass that doesnt have colon?  that protocol sucks that uses colon without escaping

  1:25 PM
We're actually right in the middle of a conversation about this, but I think "no one can use colons in passwords" is a suboptimal solution.
1:25
Does the escaping bit work when authenticating against ldap?

  1:41 PM
So, we're looking at this, and RFC7617 says that usernames can never contain colons, so that string should always be splitting on the leftmost colon.
https://datatracker.ietf.org/doc/html/rfc7617
datatracker.ietf.orgdatatracker.ietf.org
RFC 7617 - The 'Basic' HTTP Authentication Scheme
The 'Basic' HTTP Authentication Scheme (RFC 7617)

  1:51 PM
The change in 3163 does not apply when you're doing authentication via ldap.  It only affects authentication via Grouper's internal system.

  2:32 PM
We do not believe, based on looking at the source, that the colon escaping code will come into play for ldap authentication.
2:33
So, no, we can't escape the colon.
The solution for this today seems to be changing the password to remove the colon, but we strongly believe that this is a bug.

  2:44 PM
Yes, true is actually what we tried, because per RFC7617, is should always split on the first colon, because colons are not permitted in usernames.
And, again, as I said, that change does not do anything at all when it comes to ldap authentication.  It's never called.  It's only used when you're using Grouper's internal authentication.