Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Switch Basic Authentication encoding to UTF-8 #1970

Merged
merged 1 commit into from
Nov 16, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -17,13 +17,16 @@
package org.apache.logging.log4j.core.util;

import java.net.URLConnection;
import java.nio.charset.Charset;
import java.util.Base64;

import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.status.StatusLogger;
import org.apache.logging.log4j.util.Base64Util;
import org.apache.logging.log4j.util.LoaderUtil;
import org.apache.logging.log4j.util.PropertiesUtil;

import static java.nio.charset.StandardCharsets.UTF_8;

/**
* Provides the Basic Authorization header to a request.
*/
Expand All @@ -35,6 +38,11 @@ public class BasicAuthorizationProvider implements AuthorizationProvider {
public static final String CONFIG_USER_NAME = "log4j2.configurationUserName";
public static final String CONFIG_PASSWORD = "log4j2.configurationPassword";
public static final String PASSWORD_DECRYPTOR = "log4j2.passwordDecryptor";
/*
* Properties used to specify the encoding in HTTP Basic Authentication
*/
private static final String BASIC_AUTH_ENCODING = "log4j2.configurationAuthorizationEncoding";
private static final String SPRING_BASIC_AUTH_ENCODING = "logging.auth.encoding";
vy marked this conversation as resolved.
Show resolved Hide resolved

private static final Logger LOGGER = StatusLogger.getLogger();

Expand All @@ -47,6 +55,11 @@ public BasicAuthorizationProvider(final PropertiesUtil props) {
() -> props.getStringProperty(CONFIG_PASSWORD));
final String decryptor = props.getStringProperty(PREFIXES, AUTH_PASSWORD_DECRYPTOR,
() -> props.getStringProperty(PASSWORD_DECRYPTOR));
// Password encoding
Charset passwordCharset = props.getCharsetProperty(BASIC_AUTH_ENCODING);
if (passwordCharset == null) {
props.getCharsetProperty(SPRING_BASIC_AUTH_ENCODING, UTF_8);
}
if (decryptor != null) {
try {
final Object obj = LoaderUtil.newInstanceOf(decryptor);
Expand All @@ -58,7 +71,13 @@ public BasicAuthorizationProvider(final PropertiesUtil props) {
}
}
if (userName != null && password != null) {
authString = "Basic " + Base64Util.encode(userName + ":" + password);
/*
* https://datatracker.ietf.org/doc/html/rfc7617#appendix-B
*
* If the user didn't specify a charset to use, we fallback to UTF-8
*/
authString = "Basic "
+ Base64.getEncoder().encodeToString((userName + ":" + password).getBytes(passwordCharset));
}
}

Expand Down
10 changes: 10 additions & 0 deletions src/changelog/.2.x.x/change_basic_auth_encoding.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
<?xml version="1.0" encoding="UTF-8"?>
<entry xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://logging.apache.org/log4j/changelog"
xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.2.xsd"
type="changed">
<issue id="1970" link="https://github.com/apache/logging-log4j2/issues/1970"/>
<description format="asciidoc">
Change default encoding of HTTP Basic Authentication to UTF-8 and add `log4j2.configurationAuthorizationEncoding` property to overwrite it.
</description>
</entry>
1 change: 1 addition & 0 deletions src/site/_release-notes/_2.x.x.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ The module name of four bridges (`log4j-slf4j-impl`, `log4j-slf4j2-impl`, `log4j
=== Changed

* Change the order of evaluation of `FormattedMessage` formatters. Messages are evaluated using `java.util.Format` only if they don't comply to the `java.text.MessageFormat` or `ParameterizedMessage` format. (https://github.com/apache/logging-log4j2/issues/1223[1223])
* Change default encoding of HTTP Basic Authentication to UTF-8 and add `log4j2.configurationAuthorizationEncoding` property to overwrite it. (https://github.com/apache/logging-log4j2/issues/1961[1961])
* Fix MDC pattern converter causing issues for `%notEmpty` (https://github.com/apache/logging-log4j2/issues/1922[1922])
* Fix `NotSerializableException` when `Logger` is serialized with a `ReusableMessageFactory` (https://github.com/apache/logging-log4j2/issues/1884[1884])
* Update `co.elastic.clients:elasticsearch-java` to version `8.11.0` (https://github.com/apache/logging-log4j2/pull/1953[1953])
Expand Down
3 changes: 2 additions & 1 deletion src/site/markdown/log4j-spring-cloud-config-client.md
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,8 @@ the alternatives may be used in any configuration location.
|----------|---------|---------|---------|
| log4j2.configurationUserName | log4j2.config.username | logging.auth.username | User name for basic authentication |
| log4j2.configurationPassword | log4j2.config.password | logging.auth.password | Password for basic authentication |
| log4j2.authorizationProvider | log4j2.config.authorizationProvider | logging.auth.authorizationProvider | Class used to create HTTP Authorization header |
| log4j2.configurationAuthorizationEncoding | | logging.auth.encoding | Encoding for basic authentication (defaults to UTF-8) |
| log4j2.configurationAuthorizationProvider | log4j2.config.authorizationProvider | logging.auth.authorizationProvider | Class used to create HTTP Authorization header |

```
log4j2.configurationUserName=guest
Expand Down
8 changes: 8 additions & 0 deletions src/site/xdoc/manual/configuration.xml.vm
Original file line number Diff line number Diff line change
Expand Up @@ -2127,6 +2127,14 @@ public class AwesomeTest {
"https, file, jar". To completely prevent accessing the configuration via a URL specify a value of "_none".
</td>
</tr>
<tr>
<td><a name="log4j2.configurationAuthorizationEncoding"/>log4j2.configurationAuthorizationEncoding</td>
<td>LOG4J_CONFIGURATION_AUTHORIZATION_ENCODING</td>
<td>UTF-8</td>
<td>
The encoding used in Basic Authentication (cf. <a href="https://datatracker.ietf.org/doc/html/rfc7617">RFC 7617</a>).
</td>
</tr>
<tr>
<td><a name="configurationAuthorizationProvider"/>log4j2.Configuration.authorizationProvider
<br />
Expand Down