diff --git a/openapi-security/src/main/java/com/networknt/openapi/JwtVerifyHandler.java b/openapi-security/src/main/java/com/networknt/openapi/JwtVerifyHandler.java index b65a947f..49585e38 100644 --- a/openapi-security/src/main/java/com/networknt/openapi/JwtVerifyHandler.java +++ b/openapi-security/src/main/java/com/networknt/openapi/JwtVerifyHandler.java @@ -119,7 +119,13 @@ public boolean handleJwt(HttpServerExchange exchange, String pathPrefix, String if (logger.isTraceEnabled() && authorization != null && authorization.length() > 10) logger.trace("Authorization header = " + authorization.substring(0, 10)); - + // if an empty authorization header or a value length less than 6 ("Basic "), return an error + if(authorization == null || authorization.trim().length() < 6) { + setExchangeStatus(exchange, STATUS_INVALID_AUTH_TOKEN); + exchange.endExchange(); + if (logger.isDebugEnabled()) logger.debug("JwtVerifyHandler.handleRequest ends with an error."); + return false; + } authorization = this.getScopeToken(authorization, headerMap); boolean ignoreExpiry = config.isIgnoreJwtExpiry(); diff --git a/openapi-security/src/test/java/com/networknt/openapi/JwtVerifyHandlerTest.java b/openapi-security/src/test/java/com/networknt/openapi/JwtVerifyHandlerTest.java index 090edec6..0b76c659 100644 --- a/openapi-security/src/test/java/com/networknt/openapi/JwtVerifyHandlerTest.java +++ b/openapi-security/src/test/java/com/networknt/openapi/JwtVerifyHandlerTest.java @@ -361,4 +361,40 @@ public void testH2CDisabledRequest() throws Exception { Assert.assertEquals("ERR10008", status.getCode()); } } + + @Test + public void testEmptyAuthorizationHeader() throws Exception { + final Http2Client client = Http2Client.getInstance(); + final CountDownLatch latch = new CountDownLatch(1); + final ClientConnection connection; + try { + connection = client.connect(new URI("http://localhost:7081"), Http2Client.WORKER, Http2Client.SSL, Http2Client.BUFFER_POOL, OptionMap.EMPTY).get(); + } catch (Exception e) { + throw new ClientException(e); + } + final AtomicReference reference = new AtomicReference<>(); + try { + ClientRequest request = new ClientRequest().setPath("/v1/pets/111").setMethod(Methods.GET); + request.getRequestHeaders().put(Headers.HOST, "localhost"); + request.getRequestHeaders().put(Headers.AUTHORIZATION, ""); + connection.sendRequest(request, client.createClientCallback(reference, latch)); + latch.await(); + } catch (Exception e) { + logger.error("Exception: ", e); + throw new ClientException(e); + } finally { + IoUtils.safeClose(connection); + } + int statusCode = reference.get().getResponseCode(); + logger.debug("statusCode = " + statusCode); + String responseBody = reference.get().getAttachment(Http2Client.RESPONSE_BODY); + logger.debug("responseBody = " + responseBody); + Assert.assertEquals(401, statusCode); + if (statusCode == 401) { + Status status = Config.getInstance().getMapper().readValue(responseBody, Status.class); + Assert.assertNotNull(status); + Assert.assertEquals("ERR10000", status.getCode()); + } + } + }