tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: svn commit: r1807004 - in /tomcat/trunk: java/org/apache/catalina/authenticator/ test/org/apache/catalina/authenticator/ webapps/docs/ webapps/docs/config/
Date Sat, 02 Sep 2017 20:20:55 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 9/1/17 4:18 PM, Mark Thomas wrote:
> On 01/09/17 20:51, markt@apache.org wrote:
>> Author: markt Date: Fri Sep  1 19:51:42 2017 New Revision:
>> 1807004
>> 
>> URL: http://svn.apache.org/viewvc?rev=1807004&view=rev Log: Fix
>> https://bz.apache.org/bugzilla/show_bug.cgi?id=61280 Add RFC 7617
>> support to the BasicAuthenticator
> 
> I'd like to back-port this but before I do I wanted to get some
> feedback on the default.
> 
> The options are:
> 
> a) UTF-8 (the default for 9.0.x)
> 
> b) "" or null (the current behaviour)
> 
> The advantage of a) is that we'll support i18n user names and
> passwords out of the box (assuming the browser does).
> 
> The disadvantage of a) is that we'll break authentication for any
> user name or password using ISO-8859-1 characters in the 128-255
> range where the browser uses ISO-8859-1 by default and doesn't
> support RFC 7617.
> 
> A quick test suggests that this varies between browsers.
> 
> Chrome appears to use UTF-8 by default. I can't tell if Chrome
> supports RFC 7617 since it always uses UTF-8.
> 
> Firefox appears to use ISO-8859-1 by default. It also appears that 
> Firefox doesn't support RFC 7617.
> 
> IE is the same as Firefox.
> 
> Hmm. This is a lot messier than I thought it would be. Given what I
> have observed, there is no combination I can see that will allow
> BASIC auth to work with a user name or password that contains non
> ASCII characters with both IE, Firefox and Chrome.
> 
> Thoughts?

In general, I'd say that UTF-8 should be the default for everything
moving forward. So, for back-porting to 8.5, UTF-8 should be the
default. But for 8.0, we should probably use ""/null.

OTOH, we had conversations about 8.5 being as easy possible as a
drop-in replacement for 8.0, and using UTF-8 would therefore hamper
that goal.

Maybe we should be ""/null for all backports, and let 9.0 only be
UTF-8 (by default, of course).

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZqxKnAAoJEBzwKT+lPKRYru0P/3ZbURp8BNBEkD5VQDU+dm24
+UeXRje0gchqqbSwL1Xaao02hEU/4x8oaV7/PldlcFlYoNFgmwlw0wjcJXq63YO8
9ygg24JMhv88GO5tkp7iiuBoQwVmdMA3mrMPqORIQ4U5CSyFdwtS1gbhXNYHW96X
fCCKxvy+abhDMUX+IqteXCuYGdlbTiwoReLVBSUfLGGUBNPHUB3VwCiKi/CC3GE3
dgv9FaSFLR2R/g6jV6JNB5E3xggD+n2UXCyQ3fO6yA3fwJGBNg26xrWxNnaleu+i
J16OVUpyb0s/nMztuqmd6O1AoBMGwp9kb16G0G2XH3p950UOi7upcO8Ysdz9SCHi
qBuCbj/YK9VzxGk64gxcnCmJgiAkxxktqpa+q31qQy5rfolJs6xz7I6hmE4pOsN2
Ks7Ob0uLs1uN93bzES/vH7VEQ3JJcOYrTGSt97ZnMv0lI4fDoZlZFWoEn0RbsQCl
GOIB3yd6xILlNKzjiibz6TIQZepszNBmJUB1T11/zTw6vKoL4CQVcXm5spZXX5SF
JkWkoMonbFhSpoi7LzB4/guO10HGXfaemMP6Kg9R7tH+LuXzc4wiOmV2poAGDlqB
dnMd4oQJBceYtm2fmbAtHtcaxvYtD+hEeutPm/B5aWEkgmoiKwVM5cbz729j61RN
MbNZ4JE6SfbS0e5vDUrb
=jG5+
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message