AXIS2-6055 Restrict preemptive Basic Auth to HTTPS connections

robertlazarski · robertlazarski · commit 754a25817040 · 2026-04-20T10:32:48.000-10:00
Preemptive authentication sends credentials on the first request
without waiting for a 401 challenge. Over plain HTTP, base64-encoded
credentials are trivially interceptable.

Add HTTPS check: preemptive auth only sends the Authorization header
when the connection scheme is HTTPS. On HTTP, logs a warning and
skips preemptive auth — credentials will still be sent via the
normal challenge/response flow if the server requests them.

Found by local Gemini Pro security review.
diff --git a/modules/transport/http/src/main/java/org/apache/axis2/transport/http/impl/httpclient5/RequestImpl.java b/modules/transport/http/src/main/java/org/apache/axis2/transport/http/impl/httpclient5/RequestImpl.java
@@ -339,10 +339,17 @@ public void enableAuthentication(HTTPAuthenticator authenticator) {
         // AXIS2-6055: Preemptive authentication — send credentials on the first
         // request without waiting for a 401 challenge. This was supported in
         // Axis2 1.7 (HC 4) but the TODO was never implemented for HC 5.
+        // Only applies to Basic auth over HTTPS to prevent credential exposure.
         if (authenticator.getPreemptiveAuthentication() && username != null && password != null) {
-            String credentials = username + ":" + password;
-            String encoded = java.util.Base64.getEncoder().encodeToString(credentials.getBytes(java.nio.charset.StandardCharsets.UTF_8));
-            httpRequestMethod.setHeader("Authorization", "Basic " + encoded);
+            String scheme = httpRequestMethod.getScheme();
+            if (!"https".equalsIgnoreCase(scheme)) {
+                log.warn("Preemptive authentication skipped: connection is not HTTPS. " +
+                         "Credentials will not be sent preemptively over an insecure connection.");
+            } else {
+                String credentials = username + ":" + password;
+                String encoded = java.util.Base64.getEncoder().encodeToString(credentials.getBytes(java.nio.charset.StandardCharsets.UTF_8));
+                httpRequestMethod.setHeader("Authorization", "Basic " + encoded);
+            }
         }
 
         /* Customizing the priority Order */
