hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 24671] - Basic Authentification fails with non-ASCII username/password characters
Date Sat, 22 Nov 2003 21:40:11 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24671>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24671

Basic Authentification fails with non-ASCII username/password characters





------- Additional Comments From becke@u.washington.edu  2003-11-22 21:40 -------
Well, I've spent a lot more time working on this than I would have thought.  It seems there
may not 
be a good, universal solution for this problem.  Originally I was thinking that we should
just switch 
over to 8859-1 for digest user names and passwords, like we did for basic authentication.
After 
some more researching and testing it seems that this may not be the correct answer.  

To test this problem I'm using Apache HTTPD 2.0.40. I tried using Tomcat, but was unable to
get it 
working with Digest.  It seems that Apache uses UTF-8 to encode the user name and password.
 
Not only does this mean that UTF-8 must be used when calculating the digest, it also means
that 
the Authorization header must be sent as UTF-8.  This is due to the fact that the digest username

is sent as a header parameter.  When using Basic authentication I was unable to use non-ASCII

characters with Apache.

I found the following two threads that discuss the problem with non-ASCII charsets and HTTP

authentication, unfortunately neither of them seem to come to a complete conclusion:

<http://lists.w3.org/Archives/Public/ietf-http-wg-old/1998SepDec/0040.html>
<http://lists.w3.org/Archives/Public/ietf-http-wg/2003AprJun/0002.html>

I will attach shortly two patches that I used to test this problem, one for UTF-8 and the
other for 
ISO-8859-1.  Unless we can come up with a better solution for this I suggest that we stick
to ASCII 
for 2.0 and add a configuration item for 2.1 that determines that charset to use for authentication.

What does everyone think?

Mike

---------------------------------------------------------------------
To unsubscribe, e-mail: commons-httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-httpclient-dev-help@jakarta.apache.org


Mime
View raw message