tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Basic Authentication Failed with multibyte username
Date Thu, 21 Jan 2010 20:35:22 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gábor,

On 1/21/2010 9:16 AM, Auth Gábor wrote:
> Mark Thomas wrote:
>>        OCTET          = <any 8-bit sequence of data>
>>        CTL            = <any US-ASCII control character
>>                         (octets 0 - 31) and DEL (127)>
>>
>> So actually, Tomcat is correct in the current treatment of credentials.
>> Therefore, not a bug.
> 
> Yes, but the UTF-8 encoded text is contains any 8-bit sequence of data except 
> control characters, so IMHO the UTF-8 encoded text is TEXT.

Sure, UTF-8 encoded text is TEXT, but you may not get the String value
you expect. André is correct in that non-Latin characters appear to be
unsupported by the HTTP Authenticate header.

Now, there /are/ things that can be done to accommodate you. See below.

The patch you posted probably will only work when the platform encoding
is set to UTF-8. Instead, an encoding setting would probably have to be
provided to the BasicAuthenticator to allow the Base64-encoded header
value to use the desired encoding. Actually, the code as it looks right
now does have a bug: the platform default encoding is used to decode
Base-64 decoded bytes in the Authenticate header. Instead, it should
probably be ASCII or maybe ISO-8859-1.

>> Also André's comments regarding ISO-8859-1 were right if considering the
>> actual user name and password rather than the header.
> 
> Yes, thats right. The default header encoding is ISO-8859-1.

It's ASCII, though ISO-8859-1 is backward-compatible (as is UTF-8).

> I've found some information about this issue:
> http://stackoverflow.com/questions/702629/utf-8-characters-mangled-in-http-
> basic-auth-username 

Nice that someone looked at actual behavior of the browsers.

It would be pretty trivial to add a settable charset to the
BasicAuthenticator, and also to allow things like RFC 2047
charset-in-value decoding, though I don't think that's appropriate
because the Bas64 value has already been decoded.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktYuooACgkQ9CaO5/Lv0PAQZQCgoWiesTSQ/aX+oeRmF8Qvv+u3
73oAniYbXKfEIGdnIVyEHpZNgJ82ZjsI
=qPwi
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message