Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BasicAuthenticationInterceptor should cache the encoded credentials #23204

Closed
membersound opened this issue Jun 27, 2019 · 2 comments
Closed

BasicAuthenticationInterceptor should cache the encoded credentials #23204

membersound opened this issue Jun 27, 2019 · 2 comments
Assignees
@sbrannen
Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement
Milestone
5.2 RC1

Comments

@membersound
Copy link

membersound commented Jun 27, 2019
edited by sbrannen
Loading

As BasicAuthenticationInterceptor is just an Interceptor that recreates the encoded Basic Authentication header for each request, I think the encoded credentials should be cached and reused.

Maybe org.springframework.http.HttpHeaders could offer a static encodeBasicAuth(String username, String password, @Nullable Charset charset) that does the same as setBasicAuth(), but instead of setting the header directly, it just returns the Basic <encoded username:password> string.

Suggested class therefore would change to:

public class BasicAuthenticationInterceptor implements ClientHttpRequestInterceptor {
        private final String basicAuth;

	public BasicAuthenticationInterceptor(String username, String password) {
		this(username, password, null);
	}

	public BasicAuthenticationInterceptor(String username, String password, @Nullable Charset charset) {
		Assert.doesNotContain(username, ":", "Username must not contain a colon");
		this.basicAuth = HttpHeaders.encodeBasicAuth(username, password, charset);
	}


	@Override
	public ClientHttpResponse intercept(
			HttpRequest request, byte[] body, ClientHttpRequestExecution execution) throws IOException {

		HttpHeaders headers = request.getHeaders();
		if (!headers.containsKey(HttpHeaders.AUTHORIZATION)) {
			headers.set(HttpHeaders.AUTHORIZATION, basicAuth);
		}
		return execution.execute(request, body);
	}

}

Pro: neither username nor pass has to be kept as cleartext.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Jun 27, 2019
@sbrannen sbrannen added in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged or decided on labels Jun 27, 2019
@sbrannen
Copy link
Member

I think that sounds like a worthwhile improvement.

Thanks for raising the issue.

@sbrannen sbrannen added this to the 5.2 RC1 milestone Jun 27, 2019
@sbrannen sbrannen self-assigned this Jun 28, 2019
@sbrannen
Copy link
Member

This has been resolved in 3e41f5e.

Thanks again for raising the issue.

@membersound membersound mentioned this issue Jul 9, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sbrannen sbrannen

Labels
in: web Issues in web modules (web, webmvc, webflux, websocket) type: enhancement A general enhancement
Projects
None yet
Milestone
5.2 RC1
Development

No branches or pull requests
3 participants
@sbrannen @membersound @spring-projects-issues