-
Notifications
You must be signed in to change notification settings - Fork 185
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Invalid Authorization header: Bearer #674
Comments
Have you found your way out of this yet? |
I cheated. I wrote a filter that removes any authorization header which isn't one of ntlm, negotiate or basic. After that the request is passed on to waffle. I was expecting this kind of logic in waffle itself but I am not sure if that would be the right approach. Comments welcome. |
It's the source software that is sending a Bearer Token. Waffle only supports a single Authorization header and as far as I know the HTTP Authorization RFC only supports a single Authorization header. |
It is Word and Excel that sends the Bearer token. |
We hit this as well, but we want to pass the header because we're using multiple types of authentication. The assumption Waffle is making is that the header payload is always a single Base64 chunk:
However, RFC 6750 defines a header which is treated as "invalid" by this method. Perhaps the bug is that Waffle isn't reading the authentication scheme when making this decision? It should be seeing that the scheme is "Bearer" and not attempting to decode the header at all. |
You would configure your authentication in your web.xml for the resources
that are not to be covered by waffle. The error might be in your
application configuration and or deployment model.?
…On Thu, 14 Mar 2019, 04:10 Trejkaz (pen name), ***@***.***> wrote:
We hit this as well, but we want to pass the header because we're using
multiple types of authentication.
The assumption Waffle is making is that the header payload is always a
single Base64 chunk:
https://github.com/Waffle/waffle/blob/15660fa9043f818fcc39aa20be5c65ead4fe4c28/Source/JNA/waffle-jna/src/main/java/waffle/util/AuthorizationHeader.java#L109
However, RFC 6750 defines a header which is treated as "invalid" by this
method.
Perhaps the bug is that Waffle isn't reading the authentication scheme
when making this decision? It should be seeing that the scheme is "Bearer"
and not attempting to decode the header at all.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#674 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ACAINCfW40pw-H8kGPWl-S8p6EKf-wTxks5vWcvAgaJpZM4aYjde>
.
|
The same URL is covered by both types of authentication. :) |
To achieve that, I had to use the security filter it supports excluding
bearer and exclude path patterns
…On Thu, 14 Mar 2019, 07:24 Trejkaz (pen name), ***@***.***> wrote:
The same URL is covered by both types of authentication. :)
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#674 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ACAINJjmqchnXcKJbLeHwzBg8GFS_BLXks5vWfkegaJpZM4aYjde>
.
|
@trejkaz I think you are stating here that you believe waffle has a bug. Any chance you could review this again and see about raising a PR that might resolve this within waffle? |
I'm not completely clear on what the behaviour should be at the moment as it has been some time since investigating stuff surrounding this issue. My impression is that |
Thanks @trejkaz I'm not super familar with this type and was just reviewing what we had out here. I'll try to review over this and see if its us. I do see the earlier stack trace so I have something to go on. I just will be unlikely to have fixed in this next release. However, that said, the next release has a few nice fixes coming and some 'sonar' considered vulnerability fixes so if anything you find some time down the road and can play around with this more, please try the release at that time. I plan to release in next week or so 2.2.0. Thanks. |
I have
NTLM
configured as the only allowed authentication method:web.xml
The works fine generally but I keep getting
java.lang.RuntimeException: Invalid Authorization header: Bearer
exceptions for certain requests.What is the reason for this? Is there anything else I need to configure?
Waffle is at
Full stack trace:
The text was updated successfully, but these errors were encountered: