commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Dever <jsde...@sympatico.ca>
Subject Re: [HttpClient][PATCH] Basic Authentication does not use default credentials
Date Wed, 25 Sep 2002 10:58:36 GMT
There is a test case in TestAuthenticator.java:

    public void testBasicAuthenticationWithDefaultCreds() throws Exception {
        HttpState state = new HttpState();
        state.setCredentials(null,new
UsernamePasswordCredentials("username","password"));
        HttpMethod method = new SimpleHttpMethod(new
Header("WWW-Authenticate","Basic realm=\"realm1\""));
        assertTrue(Authenticator.authenticate(method,state));
        assertTrue(null != method.getRequestHeader("Authorization"));
        String expected = "Basic " + new
String(Base64.encode("username:password".getBytes()));

assertEquals(expected,method.getRequestHeader("Authorization").getValue());
    }

This test shows that basic authenticaiton uses the default creds (the creds with
the null realm in the httpstate).  I'm not sure what your patch is trying to fix
... can you supply a test case that fails with the current code, but passes
after your patch is applied?



Adrian Sutton wrote:

> Digest authentication falls back to the default credentials
> (state.getCredentials(null)) when credentials for the specific realm aren't
> found, however basic authentication doesn't currently do that.  This patch
> makes basic authentication behave like digest authentication.
>
> There is the security issue of having the username and password sent in
> clear text without specifically saying to (normally it would be specified on
> a per realm basis so it would be known to be sent via clear text), however I
> think that's a little paranoid and it's better to behave consistently.
>


--
To unsubscribe, e-mail:   <mailto:commons-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:commons-dev-help@jakarta.apache.org>


Mime
View raw message