tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: Basic Authentication Failed with multibyte username
Date Thu, 21 Jan 2010 11:22:02 GMT
On 21/01/2010 05:54, Auth Gábor wrote:
> Hi,
> I've found a potential bug in the Basic Authentication module. I have users 
> and some user's username is contains national characters (encoded in UTF-8). 
> The HTTP header based authentication is fails when the username or the 
> password contains multibyte characters.

That sounds like a bug to me.

> The root of the bug is the Base64 decoder, which decodes the Base64 stream to 
> char array: converts each byte to individual char, this decode method corrupts 
> the multibyte characters...

And that sounds like the root cause.

> It works, because the byte[] to String conversion supports the multibyte 
> conversion and uses the encoding of the JVM.
> What do you think about it?

I haven't tested it or looked at the detail of the base 64 decoding but
on the basis it works for you then...

Great! Many thanks. Please create a Bugzilla entry and add your patch to
it. Patches sent to the mailing list are too easy to forget.

Before you do, I have have one improvement suggestion. Using the
platform default encoding to convert bytes to String is something that
itself has caused bugs in the past and I can see it doing so here too.
I'd suggest adding a characterEncoding attribute to the
BasicAuthenticator (like there is for FormAuthenticator). Don't forget
to include documenting this new attribute in your patch.

The tricky question is what should the default be. I see the options as
ISO-8859-1 or UTF-8. I'd use UTF-8 since that will work for most input
including all ISO-8859-1 input.

Thanks again for the patch.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message