Spring Security BasicAuthenticationFilter ignores credentials charset

Summary

BasicAuthenticationConverter in BasicAuthenticationFilter ignores given credentials charset.

Actual Behavior

We try to override the credential charset using an ObjectPostProcessor:

httpSecurity
     .httpBasic()
     .addObjectPostProcessor(
          new ObjectPostProcessor<BasicAuthenticationFilter>() {
               @Override
                public <O extends BasicAuthenticationFilter> O postProcess(O filter) {
                    filter.setCredentialsCharset("ISO-8859-1"); // <-- try to override default charset
                    return filter;
                }
           }
      );

Actual implementation of BasicAuthenticationFilter#setCredentialsCharset:

public void setCredentialsCharset(String credentialsCharset) {
    Assert.hasText(credentialsCharset, "credentialsCharset cannot be null or empty");
    this.credentialsCharset = credentialsCharset;
}

However, the given credentialCharset is never used in BasicAuthenticationFilter and especially not in BasicAuthenticationFilter#BasicAuthenticationConverter. So, the token is read with the default charset UTF-8 and not as needed with ISO-8859-1.

Expected Behavior

Corrected BasicAuthenticationFilter#setCredentialsCharset:

public void setCredentialsCharset(String credentialsCharset) {
    Assert.hasText(credentialsCharset, "credentialsCharset cannot be null or empty");
    this.credentialsCharset = credentialsCharset; // <-- is never used
    authenticationConverter.setCredentialsCharset(credentialsCharset); // <-- bugfix
}

Version

v5.2.0 - v5.2.1

Comment From: fhanik

Thank you for the report. This is great starting contribution opportunity.

Add a test case to BasicAuthenticationFilterTests. You can use ReflectionTestUtils to see the value of the filter.authenticationConverter.credentialsCharset field.