[Bug 54060] DigestAuthenticator doesn't parse Authorization header correctly

[bu...@apache.org]

https://issues.apache.org/bugzilla/show_bug.cgi?id=54060

--- Comment #10 from Sean Owen <sr...@apache.org> ---
Hello all, first I would like to say that I think this patch is entirely right.
I even checked against RFC 2617. But after this change I'm noticing that DIGEST
authentication stops working in Safari, curl, and Java's SDK. Chrome is fine.

The reason, it seems, is that their Digest response includes either
algorithm="MD5" when it should be algorithm=MD5, or qop="auth" when it should
be qop=auth.

For example, from curl:

* Connection #0 to host localhost left intact
* Issue another request to this URL: 'https://localhost:8453/ready'
* Re-using existing connection! (#0) with host localhost
* Connected to localhost (::1) port 8453 (#0)
* Server auth using Digest with user 'foo'
> HEAD /ready HTTP/1.1
> Authorization: Digest username="foo", realm="Myrrix", nonce="1355351469307:f5864c38c03153e941d0e0ec6e6b625f", uri="/ready", cnonce="MTM1NTM1", nc=00000001, qop="auth", response="cccab2adb7a9c59f9eeac8b6981e79c0", opaque="B1094CC78FA4B4D9288C50B02C975C0F"
> User-Agent: curl/7.21.4 (universal-apple-darwin11.0) libcurl/7.21.4 OpenSSL/0.9.8r zlib/1.2.5
> Host: localhost:8453
> Accept: */*

In the new implementation this means the parser rejects it since it is not
expecting a quoted field.


Going back to the prior version of Tomcat works in the sense that the old
parser was (too) lenient on incorrect quoting. Also changing these fields to be
treated like type 'FIELD_TYPE_QUOTED_STRING' works.

It's not a bug in Tomcat though AFAICT. But if it really means a lot of popular
implementations don't work with it, I dunno, maybe worth revisiting.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org