[
https://issues.apache.org/jira/browse/ARTEMIS-3388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17381564#comment-17381564
]
Justin Bertram commented on ARTEMIS-3388:
-----------------------------------------
Running this through the debugger I can see that initially the {{%2B}} in
{{ENC(ql6LSJ%2BYMxGN1yn1r/F0yw==)}} is converted to a {{\+}} via
{{java.net.URI#getQuery}} in
{{org.apache.activemq.artemis.utils.uri.URISchema#newObject(java.net.URI,
java.util.Map<java.lang.String,java.lang.String>, P)}}. Then the {{\+}} is
converted to a space character via
{{org.apache.activemq.artemis.utils.uri.BeanSupport#decodeURI}} in
{{org.apache.activemq.artemis.utils.uri.URISchema#parseQuery}} resulting in the
ultimate value of {{ENC(ql6LSJ YMxGN1yn1r/F0yw==)}} which is incorrect.
I'll send a fix for this, but you also need to URL encode
{{ENC(ql6LSJ%2BYMxGN1yn1r/F0yw==)}} in the first place. In other words, you
should be using {{ENC%28ql6LSJ%252BYMxGN1yn1r%2FF0yw%3D%3D%29}} otherwise the
{{%2B}} will be decoded to a {{\+}} which will _still_ be incorrect (i.e. a
misconfiguration on your part).
> Encoded acceptor passwords replace plus + sign with space
> ---------------------------------------------------------
>
> Key: ARTEMIS-3388
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3388
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Affects Versions: 2.17.0
> Reporter: Aaron Steigerwald
> Priority: Minor
>
> An encoded acceptor password like
> keyStorePassword=ENC(ql6LSJ%2BYMxGN1yn1r/F0yw==) is changed to ENC(ql6LSJ
> YMxGN1yn1r/F0yw==) prior to being passed to the SensitiveDataCodec.decode
> method. This causes exceptions like "java.lang.IllegalArgumentException:
> Illegal base64 character 20" if the SensitiveDataCodec implementation is
> expecting Base64 characters because a space is not a valid Base64 character .
> This appears to be happening because the string is URL decoded twice. The
> first time is implicit in the
> org.apache.activemq.artemis.utils.uri.URISchema.newObject method. It calls
> uri.getQuery(), which according to
> [https://docs.oracle.com/javase/8/docs/api/java/net/URI.html] "The
> getUserInfo, getPath, getQuery, getFragment, getAuthority, and
> getSchemeSpecificPart methods +decode+ any escaped octets in their
> corresponding components. The strings returned by these methods may contain
> both other characters and illegal characters, and will not contain any
> escaped octets." The second time is explicit in the
> org.apache.activemq.artemis.utils.uri.BeanSupport.decodeURI method. It calls
> URLDecoder.decode(value, "UTF-8").
> The workaround is to replace all spaces with plus + characters in the custom
> SensitiveDataCodec.decode method. This is safe because the method is
> expecting only valid Base64 characters and the space character will only
> exist if it's been converted from a plus + character.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
