[ https://issues.apache.org/jira/browse/ARTEMIS-3388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17381564#comment-17381564 ]
Justin Bertram commented on ARTEMIS-3388: ----------------------------------------- Running this through the debugger I can see that initially the {{%2B}} in {{ENC(ql6LSJ%2BYMxGN1yn1r/F0yw==)}} is converted to a {{\+}} via {{java.net.URI#getQuery}} in {{org.apache.activemq.artemis.utils.uri.URISchema#newObject(java.net.URI, java.util.Map<java.lang.String,java.lang.String>, P)}}. Then the {{\+}} is converted to a space character via {{org.apache.activemq.artemis.utils.uri.BeanSupport#decodeURI}} in {{org.apache.activemq.artemis.utils.uri.URISchema#parseQuery}} resulting in the ultimate value of {{ENC(ql6LSJ YMxGN1yn1r/F0yw==)}} which is incorrect. I'll send a fix for this, but you also need to URL encode {{ENC(ql6LSJ%2BYMxGN1yn1r/F0yw==)}} in the first place. In other words, you should be using {{ENC%28ql6LSJ%252BYMxGN1yn1r%2FF0yw%3D%3D%29}} otherwise the {{%2B}} will be decoded to a {{\+}} which will _still_ be incorrect (i.e. a misconfiguration on your part). > Encoded acceptor passwords replace plus + sign with space > --------------------------------------------------------- > > Key: ARTEMIS-3388 > URL: https://issues.apache.org/jira/browse/ARTEMIS-3388 > Project: ActiveMQ Artemis > Issue Type: Bug > Affects Versions: 2.17.0 > Reporter: Aaron Steigerwald > Priority: Minor > > An encoded acceptor password like > keyStorePassword=ENC(ql6LSJ%2BYMxGN1yn1r/F0yw==) is changed to ENC(ql6LSJ > YMxGN1yn1r/F0yw==) prior to being passed to the SensitiveDataCodec.decode > method. This causes exceptions like "java.lang.IllegalArgumentException: > Illegal base64 character 20" if the SensitiveDataCodec implementation is > expecting Base64 characters because a space is not a valid Base64 character . > This appears to be happening because the string is URL decoded twice. The > first time is implicit in the > org.apache.activemq.artemis.utils.uri.URISchema.newObject method. It calls > uri.getQuery(), which according to > [https://docs.oracle.com/javase/8/docs/api/java/net/URI.html] "The > getUserInfo, getPath, getQuery, getFragment, getAuthority, and > getSchemeSpecificPart methods +decode+ any escaped octets in their > corresponding components. The strings returned by these methods may contain > both other characters and illegal characters, and will not contain any > escaped octets." The second time is explicit in the > org.apache.activemq.artemis.utils.uri.BeanSupport.decodeURI method. It calls > URLDecoder.decode(value, "UTF-8"). > The workaround is to replace all spaces with plus + characters in the custom > SensitiveDataCodec.decode method. This is safe because the method is > expecting only valid Base64 characters and the space character will only > exist if it's been converted from a plus + character. -- This message was sent by Atlassian Jira (v8.3.4#803005)