cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-6962) Basic auth uses UTF-8 for the encoded password when it should use ISO-8859-1
Date Thu, 26 Jan 2017 21:40:25 GMT

    [ https://issues.apache.org/jira/browse/CXF-6962?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15840502#comment-15840502
] 

Sergey Beryozkin commented on CXF-6962:
---------------------------------------

Hi, I agree it is a problem, the question is how to solve it now without breaking CXF clients
which may be already encoding a character like "ยง" using UTF-8 which works against a CXF
server decoding with UTF-8.
May be we can try to come up with a property instructing CXF to use ISO-8859-1, too late for
3.1.10 but possible for 3.1.11

> Basic auth uses UTF-8 for the encoded password when it should use ISO-8859-1
> ----------------------------------------------------------------------------
>
>                 Key: CXF-6962
>                 URL: https://issues.apache.org/jira/browse/CXF-6962
>             Project: CXF
>          Issue Type: Bug
>    Affects Versions: 2.7.18, 3.1.6
>            Reporter: Chris Dolphy
>
> Basic auth uses UTF-8 for the encoded password when it should use ISO-8859-1.   Also
(or instead), implement RFC 7617 which allows a server to indicate it does support UTF-8.
> The RFC that covers Basic authentication says that the authentication header contains
base 64 encoded TEXT [1].  The TEXT format needs to be read under the HTTP specification [2]
which says:
>    The TEXT rule is only used for descriptive field contents and values
>    that are not intended to be interpreted by the message parser. Words
>    of *TEXT MAY contain characters from character sets other than ISO-
>    8859-1 [22] only when encoded according to the rules of RFC 2047
>    [14].
> RFC 2047 describes an encoding method that embeds the encoded string in "=?" and "?=".
 But it appears no implementation of HTTP is doing this.  Certainly no browser is doing this.
> [1] http://tools.ietf.org/html/rfc2617#section-2



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message