Allow Case-Insensitive 'Basic' in Authorization Header (RFC 7235 §2.1) #560
Description
Jenkins and plugins versions report
Environment
Jenkins: 2.492.2
OS: Linux - 6.1.0-31-cloud-amd64
Java: 17.0.14 - Debian (OpenJDK 64-Bit Server VM)
---
ansicolor:1.0.6
ant:513.vde9e7b_a_0da_0f
antexec:382.vb_58dfa_a_4f141
antisamy-markup-formatter:173.v680e3a_b_69ff3
apache-httpcomponents-client-4-api:4.5.14-269.vfa_2321039a_83
apache-httpcomponents-client-5-api:5.4-136.v5a_21779c63f8
asm-api:9.7.1-97.v4cc844130d97
atlassian-jira-software-cloud:2.0.15
authentication-tokens:1.131.v7199556c3004
bitbucket:263.v7f6ef03c9ef8
bootstrap5-api:5.3.3-2
bouncycastle-api:2.30.1.80-256.vf98926042a_9b_
branch-api:2.1214.v3f652804588d
build-monitor-plugin:1.14-961.v676e38a_7a_248
build-user-vars-plugin:195.v8c35f9d5c3dc
build-with-parameters:76.v9382db_f78962
caffeine-api:3.2.0-161.v691ef352cee1
checks-api:367.v18b_7f530e54a_
cloudbees-bitbucket-branch-source:935.1.2
cloudbees-folder:6.985.va_f1635030cc5
command-launcher:118.v72741845c17a_
commons-compress-api:1.27.1-3
commons-lang3-api:3.17.0-84.vb_b_938040b_078
commons-text-api:1.13.0-153.v91dcd89e2a_22
console-column-plugin:261.vd7e35335049b_
coverage:2.2.0
credentials:1408.va_622a_b_f5b_1b_1
credentials-binding:687.v619cb_15e923f
customize-build-now:37.vb_1597f5c858d
dark-theme:524.vd675b_22b_30cb_
dashboard-view:2.528.v3470c02b_d7c9
data-tables-api:2.2.2-1
display-url-api:2.209.v582ed814ff2f
durable-task:587.v84b_877235b_45
echarts-api:5.6.0-2
eddsa-api:0.3.0.1-16.vcb_4a_98a_3531c
envinject:2.926.v69c9b_3896a_96
envinject-api:1.235.va_14c74f8f487
font-awesome-api:6.7.2-1
forensics-api:3.1.0
generic-webhook-trigger:2.3.1
git:5.7.0
git-client:6.1.2
git-forensics:3.2.0
gson-api:2.12.1-113.v347686d6729f
handy-uri-templates-2-api:2.1.8-36.v85e4cb_234a_13
hidden-parameter:414.vfe0a_8b_052546
htmlpublisher:425
inline-pipeline:1.0.3
instance-identity:203.v15e81a_1b_7a_38
ionicons-api:82.v0597178874e1
jackson2-api:2.18.3-402.v74c4eb_f122b_2
jakarta-activation-api:2.1.3-2
jakarta-mail-api:2.1.3-2
javax-activation-api:1.2.0-8
javax-mail-api:1.6.2-11
jaxb:2.3.9-133.vb_ec76a_73f706
jdk-tool:83.v417146707a_3d
jersey2-api:2.45-154.v4ded3dc34f81
jira:3.14
joda-time-api:2.13.1-115.va_6b_5f8efb_1d8
jquery3-api:3.7.1-3
jsch:0.2.16-95.v3eecb_55fa_b_78
json-api:20250107-125.v28b_a_ffa_eb_f01
json-path-api:2.9.0-148.v22a_7ffe323ce
jsoup:1.19.1-36.v63b_c859911d0
junit:1317.v5b_35d792b_06a_
keycloak:2.3.2
mailer:489.vd4b_25144138f
markdown-formatter:235.v2b_16f8e14918
mask-passwords:188.v66e477dcb_24a_
matrix-auth:3.2.5
matrix-project:845.vffd7fa_f27555
mercurial:1309.v6802b_f0efb_b_9
metrics:4.2.21-464.vc9fa_a_0d6265d
mina-sshd-api-common:2.14.0-143.v2b_362fc39576
mina-sshd-api-core:2.14.0-143.v2b_362fc39576
nodelabelparameter:759.vb_b_e95db_f3251
oic-auth:4.494.v6b_f419104767
pam-auth:1.12
parameter-separator:276.v7b_5328f5c7a_d
parameterized-scheduler:285.ve611986d4c48
pipeline-build-step:557.v95d96f77b_2b_8
pipeline-graph-analysis:231.v56354571a_da_0
pipeline-groovy-lib:752.vdddedf804e72
pipeline-input-step:517.vf8e782ee645c
pipeline-milestone-step:127.vb_52887ca_3b_6d
pipeline-model-api:2.2247.va_423189a_7dff
pipeline-model-definition:2.2247.va_423189a_7dff
pipeline-model-extensions:2.2247.va_423189a_7dff
pipeline-rest-api:2.37
pipeline-stage-step:322.vecffa_99f371c
pipeline-stage-tags-metadata:2.2247.va_423189a_7dff
pipeline-stage-view:2.37
pipeline-utility-steps:2.19.0
plain-credentials:183.va_de8f1dd5a_2b_
plugin-util-api:6.0.0
prism-api:1.30.0-1
remote-file:1.24
resource-disposer:0.25
scm-api:704.v3ce5c542825a_
script-security:1373.vb_b_4a_a_c26fa_00
show-build-parameters:1.0
simple-theme-plugin:202.v6367d3dea_73b_
slack:761.v2a_8770f0d169
snakeyaml-api:2.3-123.v13484c65210a_
ssh-agent:384.ve275343791a_6
ssh-credentials:355.v9b_e5b_cde5003
sshd:3.353.v2b_d33c46e970
structs:343.vdcf37b_a_c81d5
swarm:3.49
theme-manager:278.v2e3c063e42cc
timestamper:1.28
token-macro:444.v52de7e9c573d
trilead-api:2.192.vc50a_d147e369
variant:70.va_d9f17f859e0
view-job-filters:396.veea_3d19b_9551
workflow-aggregator:608.v67378e9d3db_1
workflow-api:1366.vf1fb_e1a_f6b_22
workflow-basic-steps:1079.vce64b_a_929c5a_
workflow-cps:4045.v0efb_cb_7cea_e9
workflow-durable-task-step:1405.v1fcd4a_d00096
workflow-job:1505.vea_4b_20a_4a_495
workflow-multibranch:803.v08103b_87c280
workflow-scm-step:437.v05a_f66b_e5ef8
workflow-step-api:700.v6e45cb_a_5a_a_21
workflow-support:963.va_600813d04a_a_
ws-cleanup:0.48
What Operating System are you using (both controller, and any agents involved in the problem)?
Debian Bookworm
Reproduction steps
- Install Jenkins with this Plugin
- Enable
Allow access using a Jenkins API token without an OIDC Session - Create an API Token
- Send an API request (important to write
basicinstead ofBasic):
curl --verbose --fail --header "Authorization: basic xxx" https://$your_domain/$some_api_endpoint
- You don't get the expected api response
Expected Results
API call with API token works.
Actual Results
API call with API token does not work if Basic is lowercase.
Anything else?
The line checks for Basic but i could find references in the internet that the RFC seems to tell it should be handled case-insensitive:
https://blog.teknkl.com/scheme-name-authorization-header-case-insensitive-per-rfc/
It references https://datatracker.ietf.org/doc/html/rfc7235#section-2.1
Are you interested in contributing a fix?
Replacing authHeader.startsWith("Basic ") with authHeader.regionMatches(true, 0, "Basic ", 0, 6) or authHeader.toLowerCase().startsWith("basic ") but i'm not a java developer and probably needs also adjustment of the tests?
I would prefer that somebody with project or java knowledge takes care of this small issue :)