BasicAuth interceptor does not accept empty username [SPR-16116]

[spring-projects-issues]

Norman Soetbeer opened SPR-16116 and commented

The BasicAuthorizationInterceptor does not accept an empty username, but accepts usernames containing colons. According to the RFCs around basic authentication, empty usernames are not explicitly disallowed, but usernames containing colons are.

I have a commit ready to solve this issue in case you agree with me.

Sources:
[1] https://tools.ietf.org/html/rfc2617#page-6

basic-credentials = base64-user-pass
base64-user-pass = <base64 [4] encoding of user-pass, except not limited to 76 char/line>
user-pass = userid ":" password
userid = *<TEXT excluding ":">
password = *TEXT

[2] https://tools.ietf.org/html/rfc7617#page-5

Furthermore, a user-id containing a colon character is invalid, as
the first colon in a user-pass string separates user-id and password
from one another; text after the first colon is part of the password.
User-ids containing colons cannot be encoded in user-pass strings.

---

Affects: 5.0.1

[spring-projects-issues]

Rob Winch commented

Thank you for the report and the PR. This is now merged into master