tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Basic Authentication Failed with multibyte username
Date Fri, 22 Jan 2010 16:00:47 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

André,

On 1/21/2010 6:35 PM, André Warnier wrote:
> Basically, I would tend to say that if the server knows who the clients
> are and vice-versa, you should be free to use any encoding you want,
> with the limitation that what is exchanged on the wire conforms to HTTP
> (because there may be proxies on the way which are not so tolerant).

+1

> What the client is sending is already (in a way) conformant to HTTP,
> because it is base64 encoded and so, on the surface, it does not contain
> non-ascii characters.

+1

> But the problem is that the standard Tomcat code which decodes the Basic
> Authorization header does not work in the way you want, for these
> illegal headers.
> And this code should preferably not be changed in a way which breaks the
> conformance with standard HTTP.
> Because if you do that, then your Tomcat becomes useless for anything
> else than your special client.

+1

Another possibility would be to use something like SecurityFilter, which
allows you to (more easily) write your own authenticator and realm
implementations, and you could write a BasicAuthenticator that reads
these specially-formatted credentials.

I checked the sf source, and it looks like we might have a bug:

   private String decodeBasicAuthorizationString(String authorization) {
      if (authorization == null ||
!authorization.toLowerCase().startsWith("basic ")) {
         return null;
      } else {
         authorization = authorization.substring(6).trim();
         // Decode and parse the authorization credentials
         return new String(Base64.decodeBase64(authorization.getBytes()));
      }
   }

That "authorization.getBytes()" is just asking for trouble, because it
uses the platform default encoding to convert characters to bytes. It
should be using US-ASCII, ISO-8859-1, or something like that.

It also calls the String constructor with a byte array without
specifying the encoding, therefore using the platform default.

Finally, this method is private, which means it cannot be overridden by
a subclass, which would be a nice feature. Maybe I'll fix all that. :)

> Or, you drop the container-managed security, and you use something like
> the SecurityFilter (http://securityfilter.sourceforge.net/), but read
> the homepage carefully first.

Note that the warning about BASIC authentication is waaay outdated: sf
definitely does support BASIC auth.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktZy68ACgkQ9CaO5/Lv0PAdMACfVnkkBJRIo8Gt1LcsegO/JhPD
Tl0AoLcI5QP0XoCa8kgy5zFJnkKBvL6Y
=CBKO
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message