From 3219fd554d11df282f37dc3c79afae5cc9aeb5dc Mon Sep 17 00:00:00 2001 From: Alexey Markevich Date: Sat, 10 Oct 2020 22:16:10 +0300 Subject: [PATCH] DigestAuthenticationFilter decodes nonce only once Closes gh-8455 --- .../web/authentication/www/DigestAuthenticationFilter.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/web/src/main/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilter.java b/web/src/main/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilter.java index 12cc3af722..00a119cdc5 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilter.java +++ b/web/src/main/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilter.java @@ -333,8 +333,9 @@ public class DigestAuthenticationFilter extends GenericFilterBean implements Mes "Response realm name '{0}' does not match system realm name of '{1}'")); } // Check nonce was Base64 encoded (as sent by DigestAuthenticationEntryPoint) + final byte[] nonceBytes; try { - Base64.getDecoder().decode(this.nonce.getBytes()); + nonceBytes = Base64.getDecoder().decode(this.nonce.getBytes()); } catch (IllegalArgumentException ex) { throw new BadCredentialsException( @@ -343,7 +344,7 @@ public class DigestAuthenticationFilter extends GenericFilterBean implements Mes } // Decode nonce from Base64 format of nonce is: base64(expirationTime + ":" + // md5Hex(expirationTime + ":" + key)) - String nonceAsPlainText = new String(Base64.getDecoder().decode(this.nonce.getBytes())); + String nonceAsPlainText = new String(nonceBytes); String[] nonceTokens = StringUtils.delimitedListToStringArray(nonceAsPlainText, ":"); if (nonceTokens.length != 2) { throw new BadCredentialsException(DigestAuthenticationFilter.this.messages.getMessage(