tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Basic Authentication Failed with multibyte username
Date Fri, 22 Jan 2010 16:00:47 GMT
Hash: SHA1


On 1/21/2010 6:35 PM, André Warnier wrote:
> Basically, I would tend to say that if the server knows who the clients
> are and vice-versa, you should be free to use any encoding you want,
> with the limitation that what is exchanged on the wire conforms to HTTP
> (because there may be proxies on the way which are not so tolerant).


> What the client is sending is already (in a way) conformant to HTTP,
> because it is base64 encoded and so, on the surface, it does not contain
> non-ascii characters.


> But the problem is that the standard Tomcat code which decodes the Basic
> Authorization header does not work in the way you want, for these
> illegal headers.
> And this code should preferably not be changed in a way which breaks the
> conformance with standard HTTP.
> Because if you do that, then your Tomcat becomes useless for anything
> else than your special client.


Another possibility would be to use something like SecurityFilter, which
allows you to (more easily) write your own authenticator and realm
implementations, and you could write a BasicAuthenticator that reads
these specially-formatted credentials.

I checked the sf source, and it looks like we might have a bug:

   private String decodeBasicAuthorizationString(String authorization) {
      if (authorization == null ||
!authorization.toLowerCase().startsWith("basic ")) {
         return null;
      } else {
         authorization = authorization.substring(6).trim();
         // Decode and parse the authorization credentials
         return new String(Base64.decodeBase64(authorization.getBytes()));

That "authorization.getBytes()" is just asking for trouble, because it
uses the platform default encoding to convert characters to bytes. It
should be using US-ASCII, ISO-8859-1, or something like that.

It also calls the String constructor with a byte array without
specifying the encoding, therefore using the platform default.

Finally, this method is private, which means it cannot be overridden by
a subclass, which would be a nice feature. Maybe I'll fix all that. :)

> Or, you drop the container-managed security, and you use something like
> the SecurityFilter (, but read
> the homepage carefully first.

Note that the warning about BASIC authentication is waaay outdated: sf
definitely does support BASIC auth.

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message