Issues in JwtHeaderTokenExtractor.java (master) - Issues in master - Apereo-Learning-Analytics-Initiative/OpenLRW - Measure and Improve Code Quality continuously with Scrutinizer

Issues (123)

auth/jwt/extractor/JwtHeaderTokenExtractor.java (2 issues)

Labels

Security 2

Severity

package unicon.matthews.security.auth.jwt.extractor;

import org.apache.commons.lang3.StringUtils;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.stereotype.Component;

/**
 * An implementation of {@link TokenExtractor} extracts token from
 * Authorization: Bearer scheme.
 * 
 * @author vladimir.stankovic
 *
 * Aug 5, 2016
 */
@Component
public class JwtHeaderTokenExtractor implements TokenExtractor {
    public static String HEADER_PREFIX = "Bearer ";


    @Override
    public String extract(String header) {
        if (StringUtils.isBlank(header)) {
            throw new AuthenticationServiceException("Authorization header cannot be blank!");
        }

        if (header.length() < HEADER_PREFIX.length()) {
            throw new AuthenticationServiceException("Invalid authorization header size.");
        }

        return header.substring(HEADER_PREFIX.length(), header.length());
    }
}


1			package unicon.matthews.security.auth.jwt.extractor;
2
3			import org.apache.commons.lang3.StringUtils;
4			import org.springframework.security.authentication.AuthenticationServiceException;
5			import org.springframework.stereotype.Component;
6
7			/**
8			* An implementation of {@link TokenExtractor} extracts token from
9			* Authorization: Bearer scheme.
10			*
11			* @author vladimir.stankovic
12			*
13			* Aug 5, 2016
14			*/
15			@Component
16			public class JwtHeaderTokenExtractor implements TokenExtractor {
17			public static String HEADER_PREFIX = "Bearer ";
			0 ignored issues – show Security introduced 2019-01-30 08:29 UTC by Report Bug Copy Issue Report Show Similar Issues like this public static fields should always be marked final to prevent them being overwritten in unexpected ways. Consider making `HEADER_PREFIX` final. See this CWE advisory on why this is a security issue. Loading history... Security introduced 2019-01-30 08:29 UTC by Report Bug Copy Issue Report Show Similar Issues like this Make HEADER_PREFIX a static final constant or non-public and provide accessors if needed. Loading history...
18
19			@Override
20			public String extract(String header) {
21			if (StringUtils.isBlank(header)) {
22			throw new AuthenticationServiceException("Authorization header cannot be blank!");
23			}
24
25			if (header.length() < HEADER_PREFIX.length()) {
26			throw new AuthenticationServiceException("Invalid authorization header size.");
27			}
28
29			return header.substring(HEADER_PREFIX.length(), header.length());
30			}
31			}
32

Apereo-Learning-Analytics-Initiative / OpenLRW

Issues (123)

auth/jwt/extractor/JwtHeaderTokenExtractor.java (2 issues)

Labels

Severity

Introduced By

Duplication Side-by-Side

Filter issues like