Skip to content

Authorization key lookup in BearerTokenAuthenticationExtractor should be case insensitive #1116

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Ata-Whisky opened this issue Jan 30, 2025 · 2 comments
Closed

Authorization key lookup in BearerTokenAuthenticationExtractor should be case insensitive #1116

Ata-Whisky opened this issue Jan 30, 2025 · 2 comments
Assignees
@rstoyanchev
Labels
type: enhancement A general enhancement
Milestone
1.3.4

Comments

@Ata-Whisky
Copy link

Ata-Whisky commented Jan 30, 2025
edited
Loading

Hello,

when BearerTokenAuthenticationExtractor extract authorization value from web-socket message payload case sensitivity of key matters. Aka when Authorization is used on server side as key and client sent authorization in payload it does not match.

Could it be possible to make key matching case insensitive?
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jan 30, 2025
@harshithsaiv
Copy link

harshithsaiv commented Jan 30, 2025
edited by rstoyanchev
Loading

I think we can make the key matching case-insensitive by creating a custom AuthenticationPayloadMatcher which will check for the authorization header in a case sensitive manner.

public class CaseInsensitiveBearer implements AuthenticationPayloadMatcher{
   private final String headerName;

    public CaseInsensitiveBearer(String headerName) {
        this.headerName = headerName.toLowerCase();
    }

    @Override
    public boolean matches(Map<String, Object> payload) {
        return payload.keySet().stream()
                .anyMatch(key -> key.toLowerCase().equals(headerName));
    }

    @Override
    public String extractAuthorization(Map<String, Object> payload) {
        return payload.entrySet().stream()
                .filter(entry -> entry.getKey().toLowerCase().equals(headerName))
                .map(entry -> entry.getValue().toString())
                .findFirst()
                .orElse(null);
    }
}

And when we are configuring Spring to make use of the CustomMarcher:

@Bean
public AuthenticationPayloadMatcher authenticationPayloadMatcher() {
        return new CaseInsensitiveBearer("Authorization");
    }

    @Bean
    public BearerTokenAuthenticationTokenResolver bearerTokenResolver() {
        return new BearerTokenAuthenticationTokenResolver();
    }

@Ata-Whisky
Copy link
Author

Ata-Whisky commented Jan 30, 2025
edited
Loading

You were faster :)

Yeah, I came to same conclusion. Some key matching strategy seems like better solution. It can be lambda passed to constructor or similar approach.

@rstoyanchev rstoyanchev self-assigned this Feb 12, 2025
@rstoyanchev rstoyanchev added type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Feb 12, 2025
@rstoyanchev rstoyanchev added this to the 1.3.4 milestone Feb 12, 2025
@rstoyanchev rstoyanchev changed the title BearerTokenAuthenticationExtractor is case sensitive when extracting auth key Authorization key lookup in BearerTokenAuthenticationExtractor should be case insensitive Feb 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rstoyanchev rstoyanchev

Labels
type: enhancement A general enhancement
Projects
None yet
Milestone
1.3.4
Development

No branches or pull requests
4 participants
@rstoyanchev @spring-projects-issues @harshithsaiv @Ata-Whisky