[KYUUBI #7403] Password with colon bug fixes

oh0873 · pan3793 · commit 80ff8b352322 · 2026-04-16T15:29:11.000+08:00
### Why are the changes needed? If a password contains a colon, REST API does not pick up colons. Similarly, password string like `correctpassword:random-charachars` gets parsed as `correctpassword`. ### How was this patch tested? Tested in local build, password with colon are getting parsed properly. ### Was this patch authored or co-authored using generative AI tooling? Test Suite was helped by Cursor auto-complete. Closes #7404 from oh0873/hoonoh/colon-password-bug-fix. Closes #7403 1bd8e19 [Hoon Oh] Password with colon bug fixes Authored-by: Hoon Oh <hoonoh@geico.com> Signed-off-by: Cheng Pan <chengpan@apache.org>
diff --git a/kyuubi-server/src/main/scala/org/apache/kyuubi/server/http/authentication/BasicAuthenticationHandler.scala b/kyuubi-server/src/main/scala/org/apache/kyuubi/server/http/authentication/BasicAuthenticationHandler.scala
@@ -69,7 +69,7 @@ class BasicAuthenticationHandler(basicAuthType: AuthType)
     val authorization = getAuthorization(request)
     val inputToken = Option(authorization).map(a => Base64.getDecoder.decode(a.getBytes()))
       .getOrElse(Array.empty[Byte])
-    val creds = new String(inputToken, Charset.forName("UTF-8")).split(":")
+    val creds = new String(inputToken, Charset.forName("UTF-8")).split(":", 2)
 
     if (allowAnonymous) {
       authUser = creds.take(1).headOption.filterNot(_.isEmpty).getOrElse("anonymous")
diff --git a/kyuubi-server/src/main/scala/org/apache/kyuubi/server/http/authentication/KyuubiInternalAuthenticationHandler.scala b/kyuubi-server/src/main/scala/org/apache/kyuubi/server/http/authentication/KyuubiInternalAuthenticationHandler.scala
@@ -48,7 +48,7 @@ class KyuubiInternalAuthenticationHandler extends AuthenticationHandler with Log
     val authorization = getAuthorization(request)
     val inputToken = Option(authorization).map(a => Base64.getDecoder.decode(a.getBytes()))
       .getOrElse(Array.empty[Byte])
-    val creds = new String(inputToken, StandardCharsets.UTF_8).split(":")
+    val creds = new String(inputToken, StandardCharsets.UTF_8).split(":", 2)
 
     if (creds.size < 2 || creds(0).trim.isEmpty || creds(1).trim.isEmpty) {
       response.setHeader(WWW_AUTHENTICATE_HEADER, authScheme.toString)
diff --git a/kyuubi-server/src/test/scala/org/apache/kyuubi/operation/KyuubiRestAuthenticationSuite.scala b/kyuubi-server/src/test/scala/org/apache/kyuubi/operation/KyuubiRestAuthenticationSuite.scala
@@ -240,6 +240,15 @@ class KyuubiRestCustomAuthenticationTest extends KyuubiRestAuthenticationSuite {
     assert(HttpServletResponse.SC_OK == response.getStatus)
   }
 
+  test("test with invalid CUSTOM http basic authorization that contains colon") {
+    val response = webTarget.path("api/v1/sessions/count")
+      .request()
+      .header(AUTHORIZATION_HEADER, basicAuthorizationHeader("user", "password:with:colons"))
+      .get()
+
+    assert(HttpServletResponse.SC_FORBIDDEN == response.getStatus)
+  }
+
   test("test with invalid CUSTOM http basic authorization") {
     val response = webTarget.path("api/v1/sessions/count")
       .request()
