Return-Path: 
 <users-return-207245-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: (qmail 50883 invoked from network); 21 Jan 2010 13:12:14 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 21 Jan 2010 13:12:14 -0000
Received: (qmail 50151 invoked by uid 500); 21 Jan 2010 13:12:11 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 50057 invoked by uid 500); 21 Jan 2010 13:12:10 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 50046 invoked by uid 99); 21 Jan 2010 13:12:10 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 21 Jan 2010 13:12:10 +0000
X-ASF-Spam-Status: No, hits=1.2 required=10.0
	tests=SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (nike.apache.org: local policy)
Received: from [81.103.221.47] (HELO mtaout01-winn.ispmail.ntl.com)
 (81.103.221.47)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 21 Jan 2010 13:12:00 +0000
Received: from know-smtpout-4.server.virginmedia.net ([62.254.123.4])
          by mtaout01-winn.ispmail.ntl.com
          (InterMail vM.7.08.04.00 201-2186-134-20080326) with ESMTP
          id
 <20100121131140.EBY4204.mtaout01-winn.ispmail.ntl.com@know-smtpout-4.server.virginmedia.net>
          for <users@tomcat.apache.org>; Thu, 21 Jan 2010 13:11:40 +0000
Received: from [12.42.129.178] (helo=s2-laptop.local)
	by know-smtpout-4.server.virginmedia.net with esmtpa (Exim 4.63)
	(envelope-from <markt@apache.org>)
	id 1NXwp0-0004ec-6j
	for users@tomcat.apache.org; Thu, 21 Jan 2010 13:11:40 +0000
Message-ID: <4B585282.9060307@apache.org>
Date: Thu, 21 Jan 2010 08:11:30 -0500
From: Mark Thomas <markt@apache.org>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
 rv:1.9.1.5) Gecko/20091204 Thunderbird/3.0
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Basic Authentication Failed with multibyte username
References: <201001211154.03045.auth.gabor@javaforum.hu>
 <4B583694.1070201@ice-sa.com> <4B58395A.4060009@apache.org>
 <4B5840A6.3040902@ice-sa.com>
In-Reply-To: <4B5840A6.3040902@ice-sa.com>
X-Enigmail-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Cloudmark-Analysis: v=1.1 cv=1ggfb5FlKZQUfF3vzm9UBYZ2uTfLsbs/8dSljwg5+mE=
 c=1 sm=0 a=zL-oSMo6FNEA:10 a=52nq0KFwvdfy_rrRP2oA:9 a=9zHok81A2TPfSveJjH0A:7
 a=OsmUR-iBZJp8rNiMYiCayOM7jqAA:4 a=HpAAvcLHHh0Zw7uRqdWCyQ==:117
X-Virus-Checked: Checked by ClamAV on apache.org

On 21/01/2010 06:55, Andr� Warnier wrote:
> Mark Thomas wrote:
>> The authorisation header is base64
>> encoded so it is automatically compliant with RFC2616.
>>
> Yes, it sounds like you're right; my mistake.
> (Also for Gabor, I admit my mistake.)
> 
> I agree that the HTTP header itself is correct.
> But there is still somethig which puzzles me in the absolute.
> Suppose that the browser and the server know nothing particular about
> one another, and that the server gets such an Authentication header from
> the browser.
> The Base64 decoding is done, and yields a series of bytes.
> Now this series of bytes have to be interpreted, to be translated into a
> string in Java (which is Unicode).  Which encoding should be chosen to
> decode the byte array ?
> If you use the default platform JVM encoding, you are making the
> assumption that the browser knew what this encoding is, aren't you ?
> On the other hand, the browser sent nothing to indicate in which
> encoding this string was, before it encoded it using Base64, or did it ?

RFC2617 to the rescue...

      basic-credentials = base64-user-pass
      base64-user-pass  = <base64 [4] encoding of user-pass,
                          except not limited to 76 char/line>
      user-pass         = userid ":" password
      userid            = *<TEXT excluding ":">
      password          = *TEXT

*TEXT is defined in RFC2616

       TEXT           = <any OCTET except CTLs,
                        but including LWS>

and finally

       OCTET          = <any 8-bit sequence of data>
       CTL            = <any US-ASCII control character
                        (octets 0 - 31) and DEL (127)>

So actually, Tomcat is correct in the current treatment of credentials.
Therefore, not a bug.

Also Andr�'s comments regarding ISO-8859-1 were right if considering the
actual user name and password rather than the header.

Supporting other encodings would be a useful enhancement but the default
will have to be ISO-8859-1 to remain spec compliant. What the browsers
will do for user names and passwords in other encodings is not defined
so it will be a case of YMMV.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org