You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "John Casey (JIRA)" <ji...@codehaus.org> on 2009/04/28 17:42:44 UTC
[jira] Created: (WAGON-260) very long passwords cause
LightweightHTTP wagon to line-wrap the Base64-encoded Authorization header
very long passwords cause LightweightHTTP wagon to line-wrap the Base64-encoded Authorization header
----------------------------------------------------------------------------------------------------
Key: WAGON-260
URL: http://jira.codehaus.org/browse/WAGON-260
Project: Maven Wagon
Issue Type: Bug
Components: wagon-http-lightweight
Affects Versions: 1.0-beta-5
Reporter: John Casey
this is because of Sun's Base64 and HTTPURLConnection implementations, which the lightweight http wagon depends upon.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (WAGON-260) very long passwords cause
LightweightHTTP wagon to line-wrap the Base64-encoded Authorization header
Posted by "Brett Porter (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/WAGON-260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=174507#action_174507 ]
Brett Porter commented on WAGON-260:
------------------------------------
is this something that can be fixed in the lightweight wagon, or is the resolution just "use httpclient"?
does this exhibit in all versions of the JDK?
> very long passwords cause LightweightHTTP wagon to line-wrap the Base64-encoded Authorization header
> ----------------------------------------------------------------------------------------------------
>
> Key: WAGON-260
> URL: http://jira.codehaus.org/browse/WAGON-260
> Project: Maven Wagon
> Issue Type: Bug
> Components: wagon-http-lightweight
> Affects Versions: 1.0-beta-5
> Reporter: John Casey
>
> this is because of Sun's Base64 and HTTPURLConnection implementations, which the lightweight http wagon depends upon.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (WAGON-260) very long passwords cause
LightweightHTTP wagon to line-wrap the Base64-encoded Authorization header
Posted by "John Casey (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/WAGON-260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=174512#action_174512 ]
John Casey commented on WAGON-260:
----------------------------------
I haven't tried all JDKs, only on 1.5 so far. I'll try to extract the unit tests I wrote up, and post it here.
IMO, there is very little reason not to decommission the lightweight http wagon...particularly now that the webdav wagon uses httpclient.
> very long passwords cause LightweightHTTP wagon to line-wrap the Base64-encoded Authorization header
> ----------------------------------------------------------------------------------------------------
>
> Key: WAGON-260
> URL: http://jira.codehaus.org/browse/WAGON-260
> Project: Maven Wagon
> Issue Type: Bug
> Components: wagon-http-lightweight
> Affects Versions: 1.0-beta-5
> Reporter: John Casey
>
> this is because of Sun's Base64 and HTTPURLConnection implementations, which the lightweight http wagon depends upon.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (WAGON-260) very long passwords cause
LightweightHTTP wagon to line-wrap the Base64-encoded Authorization header
Posted by "Brett Porter (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/WAGON-260?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brett Porter updated WAGON-260:
-------------------------------
Fix Version/s: 1.x
> very long passwords cause LightweightHTTP wagon to line-wrap the Base64-encoded Authorization header
> ----------------------------------------------------------------------------------------------------
>
> Key: WAGON-260
> URL: http://jira.codehaus.org/browse/WAGON-260
> Project: Maven Wagon
> Issue Type: Bug
> Components: wagon-http-lightweight
> Affects Versions: 1.0-beta-5
> Reporter: John Casey
> Fix For: 1.x
>
>
> this is because of Sun's Base64 and HTTPURLConnection implementations, which the lightweight http wagon depends upon.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Issue Comment Edited: (WAGON-260) very long passwords cause
LightweightHTTP wagon to line-wrap the Base64-encoded Authorization header
Posted by "Kristof Vanbecelaere (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/WAGON-260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=228797#action_228797 ]
Kristof Vanbecelaere edited comment on WAGON-260 at 7/16/10 5:03 AM:
---------------------------------------------------------------------
Maven ant tasks 2.1.0 still uses wagon-http-lightweight and it looks like it is impacted by this as well as far as I can tell (possibly in combination with http://jira.codehaus.org/browse/MANTTASKS-177).
was (Author: kva):
Maven ant tasks 2.1.0 still uses wagon-http-lightweight and it looks like it is impacted by this as well as far as I can tell.
> very long passwords cause LightweightHTTP wagon to line-wrap the Base64-encoded Authorization header
> ----------------------------------------------------------------------------------------------------
>
> Key: WAGON-260
> URL: http://jira.codehaus.org/browse/WAGON-260
> Project: Maven Wagon
> Issue Type: Bug
> Components: wagon-http-lightweight
> Affects Versions: 1.0-beta-5
> Reporter: John Casey
> Fix For: 1.x
>
>
> this is because of Sun's Base64 and HTTPURLConnection implementations, which the lightweight http wagon depends upon.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (WAGON-260) very long passwords cause
LightweightHTTP wagon to line-wrap the Base64-encoded Authorization header
Posted by "Kristof Vanbecelaere (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/WAGON-260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=228797#action_228797 ]
Kristof Vanbecelaere commented on WAGON-260:
--------------------------------------------
Maven ant tasks 2.1.0 still uses wagon-http-lightweight and it looks like it is impacted by this as well as far as I can tell.
> very long passwords cause LightweightHTTP wagon to line-wrap the Base64-encoded Authorization header
> ----------------------------------------------------------------------------------------------------
>
> Key: WAGON-260
> URL: http://jira.codehaus.org/browse/WAGON-260
> Project: Maven Wagon
> Issue Type: Bug
> Components: wagon-http-lightweight
> Affects Versions: 1.0-beta-5
> Reporter: John Casey
> Fix For: 1.x
>
>
> this is because of Sun's Base64 and HTTPURLConnection implementations, which the lightweight http wagon depends upon.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] (WAGON-260) very long passwords cause LightweightHTTP wagon
to line-wrap the Base64-encoded Authorization header
Posted by "Barrie Treloar (JIRA)" <ji...@codehaus.org>.
[ https://jira.codehaus.org/browse/WAGON-260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=302883#comment-302883 ]
Barrie Treloar commented on WAGON-260:
--------------------------------------
See
* http://bugs.sun.com/bugdatabase/view_bug.do;jsessionid=598a0bf17db1873eb2ea1293aa756?bug_id=6947917
Summary:
{noformat}
The Basic Authentication implementation, sun.net.www.protocol.http.BasicAuthentication, uses a sun.misc.BASE64Encoder to encode the Authentication headers field value. The sun.misc.BASE64Encoder class encodes 57 bytes per line. This results in a maximum of 57/3 * 4, or 76, characters per output line (not counting the line termination) before writing a LineSuffix, i.e. a newline character.
With long long usernames and/or passwords it is possible to generate a header value with more than 76 characters, therefore causing a newline character to be returned as part of the header value. This violates the HTTP spec for Message Headers, which states that "Header fields can be extended over multiple lines by preceding each extra line with at least one SP or HT.".
CUSTOMER SUBMITTED WORKAROUND :
Only known workaround is to use a 3rd party library for URL connections such as HttpClient.
Posted Date : 2010-04-28 06:32:21.0
{noformat}
For us, the real work around is to use shorter passwords.
i.e. stick passwords no greater than 76 characters.
> very long passwords cause LightweightHTTP wagon to line-wrap the Base64-encoded Authorization header
> ----------------------------------------------------------------------------------------------------
>
> Key: WAGON-260
> URL: https://jira.codehaus.org/browse/WAGON-260
> Project: Maven Wagon
> Issue Type: Bug
> Components: wagon-http-lightweight
> Affects Versions: 1.0-beta-5
> Reporter: John Casey
> Fix For: 1.1
>
>
> this is because of Sun's Base64 and HTTPURLConnection implementations, which the lightweight http wagon depends upon.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira