Configuration parameter 'cookie-encryption-password' takes only a single character rather than a string (#4512)

security/providers/oidc-common/src/main/java/io/helidon/security/providers/oidc/common/OidcConfig.java

@@ -1283,7 +1283,8 @@ public Builder config(Config config) {
             config.get("header-token").as(TokenHandler.class).ifPresent(this::headerTokenHandler);
             // encryption of cookies
             config.get("cookie-encryption-enabled").asBoolean().ifPresent(this::cookieEncryptionEnabled);
-            config.get("cookie-encryption-password").as(char[].class).ifPresent(this::cookieEncryptionPassword);
+            config.get("cookie-encryption-password").as(Builder::toCookieEncryptionPassword)
+                    .ifPresent(this::cookieEncryptionPassword);
             config.get("cookie-encryption-name").asString().ifPresent(this::cookieEncryptionName);
 
             // OIDC server configuration
@@ -2054,5 +2055,13 @@ public Builder clientTimeout(Duration duration) {
         private void clientTimeoutMillis(long millis) {
             this.clientTimeout(Duration.ofMillis(millis));
         }
+
+        private static char[] toCookieEncryptionPassword(Config value) {
+            String cookieEncryptionPasswordValue = value.asString().get();
+            if (cookieEncryptionPasswordValue == null || cookieEncryptionPasswordValue.trim().isEmpty()) {
+                throw new IllegalArgumentException("Required value for cookieEncryptionPassword is missing");
+            }
+            return cookieEncryptionPasswordValue.toCharArray();
+        }
     }
 }

security/providers/oidc-common/src/test/java/io/helidon/security/providers/oidc/common/OidcConfigFromBuilderTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, 2021 Oracle and/or its affiliates.
+ * Copyright (c) 2018, 2022 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,7 +16,14 @@
 
 package io.helidon.security.providers.oidc.common;
 
+import io.helidon.config.Config;
+import io.helidon.config.ConfigSources;
+import org.junit.jupiter.api.Test;
+import static org.junit.jupiter.api.Assertions.fail;
+
 import java.net.URI;
+import java.util.Arrays;
+import java.util.Map;
 
 /**
  * Unit test for {@link OidcConfig}.
@@ -43,4 +50,27 @@ class OidcConfigFromBuilderTest extends OidcConfigAbstractTest {
     OidcConfig getConfig() {
         return oidcConfig;
     }
+
+    @Test
+    void testCookieEncryptionPasswordFromBuilderConfig() {
+        // Allow a String
+        getBuilder(Map.of("cookie-encryption-password", "PasswordString"));
+        // Don't allow empty password values
+        for (String passwordValue : Arrays.asList("", "    ")) {
+            try {
+                getBuilder(Map.of("cookie-encryption-password", passwordValue));
+                fail("Empty value for cookie-encryption-password is not allowed");
+            } catch (IllegalArgumentException ie) {
+                // this is expected
+            }
+        }
+    }
+
+    private OidcConfig.Builder getBuilder(Map<String, String> map) {
+        return OidcConfig.builder().config(
+                Config.builder()
+                        .sources(ConfigSources.create(map))
+                        .build()
+                );
+    }
 }