Description
Elasticsearch version (bin/elasticsearch --version):
All versions affected
Plugins installed: []
JVM version (java -version):
java version "10" 2018-03-20
Java(TM) SE Runtime Environment 18.3 (build 10+46)
Java HotSpot(TM) 64-Bit Server VM 18.3 (build 10+46, mixed mode)
OS version (uname -a if on a Unix-like system):
Darwin X 17.6.0 Darwin Kernel Version 17.X.X: Tue May X X:22:16 X 2018; root:xnu-4570.61.1~1/RELEASE_X86_64 x86_64
Description of the problem including expected versus actual behavior:
According to RFC 7617, the authorization scheme should not be case sensitive; thus BASIC, or Basic, or basic are all valid.
Applicable to bearer token where "Bearer " auth scheme is used. Ref: RFC 6750 RFC 7235
Note that both scheme and parameter names are matched case-
insensitively.
Steps to reproduce:
Following example invocations fail:
curl -k -v -H "Authorization: basic ZW..." https://es.demo.local:9200/_xpack?pretty
curl -k -v -H "Authorization: BASIC ZW..." https://es.demo.local:9200/_xpack?pretty
curl -k -H "Authorization: bearer wZ+..." https://es.ipademo.local:9200/_xpack?pretty
Workaround: "Basic "/"Bearer " works, depends on HTTP client used if it allows to use this in Authorization: header.
Provide logs (if relevant): NA