Merge remote-tracking branch ppkarwasz/basic-auth into 2.x (#1970)

Author: vy

log4j-core/src/main/java/org/apache/logging/log4j/core/util/BasicAuthorizationProvider.java

@@ -16,10 +16,13 @@
  */
 package org.apache.logging.log4j.core.util;
 
+import static java.nio.charset.StandardCharsets.UTF_8;
+
 import java.net.URLConnection;
+import java.nio.charset.Charset;
+import java.util.Base64;
 import org.apache.logging.log4j.Logger;
 import org.apache.logging.log4j.status.StatusLogger;
-import org.apache.logging.log4j.util.Base64Util;
 import org.apache.logging.log4j.util.LoaderUtil;
 import org.apache.logging.log4j.util.PropertiesUtil;
 
@@ -34,6 +37,11 @@ public class BasicAuthorizationProvider implements AuthorizationProvider {
  public static final String CONFIG_USER_NAME = "log4j2.configurationUserName";
  public static final String CONFIG_PASSWORD = "log4j2.configurationPassword";
  public static final String PASSWORD_DECRYPTOR = "log4j2.passwordDecryptor";
+ /*
+ * Properties used to specify the encoding in HTTP Basic Authentication
+ */
+ private static final String BASIC_AUTH_ENCODING = "log4j2.configurationAuthorizationEncoding";
+ private static final String SPRING_BASIC_AUTH_ENCODING = "logging.auth.encoding";
 
  private static final Logger LOGGER = StatusLogger.getLogger();
 
@@ -46,6 +54,11 @@ public BasicAuthorizationProvider(final PropertiesUtil props) {
  props.getStringProperty(PREFIXES, AUTH_PASSWORD, () -> props.getStringProperty(CONFIG_PASSWORD));
  final String decryptor = props.getStringProperty(
  PREFIXES, AUTH_PASSWORD_DECRYPTOR, () -> props.getStringProperty(PASSWORD_DECRYPTOR));
+ // Password encoding
+ Charset passwordCharset = props.getCharsetProperty(BASIC_AUTH_ENCODING);
+ if (passwordCharset == null) {
+ props.getCharsetProperty(SPRING_BASIC_AUTH_ENCODING, UTF_8);
+ }
  if (decryptor != null) {
  try {
  final Object obj = LoaderUtil.newInstanceOf(decryptor);
@@ -57,7 +70,13 @@ public BasicAuthorizationProvider(final PropertiesUtil props) {
  }
  }
  if (userName != null && password != null) {
- authString = "Basic " + Base64Util.encode(userName + ":" + password);
+ /*
+ * https://datatracker.ietf.org/doc/html/rfc7617#appendix-B
+ *
+ * If the user didn't specify a charset to use, we fallback to UTF-8
+ */
+ authString = "Basic "
+ + Base64.getEncoder().encodeToString((userName + ":" + password).getBytes(passwordCharset));
  }
  }
 

src/changelog/.2.x.x/change_basic_auth_encoding.xml

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<entry xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns="http://logging.apache.org/log4j/changelog"
+ xsi:schemaLocation="http://logging.apache.org/log4j/changelog https://logging.apache.org/log4j/changelog-0.1.2.xsd"
+ type="changed">
+ <issue id="1970" link="https://github.com/apache/logging-log4j2/issues/1970"/>
+ <description format="asciidoc">
+ Change default encoding of HTTP Basic Authentication to UTF-8 and add `log4j2.configurationAuthorizationEncoding` property to overwrite it.
+ </description>
+</entry>

src/site/_release-notes/_2.x.x.adoc

@@ -47,6 +47,7 @@ The module name of four bridges (`log4j-slf4j-impl`, `log4j-slf4j2-impl`, `log4j
 === Changed
 
 * Change the order of evaluation of `FormattedMessage` formatters. Messages are evaluated using `java.util.Format` only if they don't comply to the `java.text.MessageFormat` or `ParameterizedMessage` format. (https://github.com/apache/logging-log4j2/issues/1223[1223])
+* Change default encoding of HTTP Basic Authentication to UTF-8 and add `log4j2.configurationAuthorizationEncoding` property to overwrite it. (https://github.com/apache/logging-log4j2/issues/1970[1970])
 * Update `com.fasterxml.jackson:jackson-bom` to version `2.16.0` (https://github.com/apache/logging-log4j2/pull/1974[1974])
 * Update `com.github.luben:zstd-jni` to version `1.5.5-10` (https://github.com/apache/logging-log4j2/pull/1940[1940])
 * Update `com.google.guava:guava` to version `32.1.3-jre` (https://github.com/apache/logging-log4j2/pull/1875[1875])

src/site/markdown/log4j-spring-cloud-config-client.md

@@ -66,7 +66,8 @@ the alternatives may be used in any configuration location.
 |----------|---------|---------|---------|
 | log4j2.configurationUserName | log4j2.config.username | logging.auth.username | User name for basic authentication |
 | log4j2.configurationPassword | log4j2.config.password | logging.auth.password | Password for basic authentication |
-| log4j2.authorizationProvider | log4j2.config.authorizationProvider | logging.auth.authorizationProvider | Class used to create HTTP Authorization header |
+| log4j2.configurationAuthorizationEncoding | | logging.auth.encoding | Encoding for basic authentication (defaults to UTF-8) |
+| log4j2.configurationAuthorizationProvider | log4j2.config.authorizationProvider | logging.auth.authorizationProvider | Class used to create HTTP Authorization header |
 
 ```
 log4j2.configurationUserName=guest

src/site/xdoc/manual/configuration.xml.vm

@@ -2127,6 +2127,14 @@ public class AwesomeTest {
  "https, file, jar". To completely prevent accessing the configuration via a URL specify a value of "_none".
  </td>
  </tr>
+ <tr>
+ <td><a name="log4j2.configurationAuthorizationEncoding"/>log4j2.configurationAuthorizationEncoding</td>
+ <td>LOG4J_CONFIGURATION_AUTHORIZATION_ENCODING</td>
+ <td>UTF-8</td>
+ <td>
+ The encoding used in Basic Authentication (cf. <a href="https://datatracker.ietf.org/doc/html/rfc7617">RFC 7617</a>).
+ </td>
+ </tr>
  <tr>
  <td><a name="configurationAuthorizationProvider"/>log4j2.Configuration.authorizationProvider
  <br />