You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Chris Dolphy (JIRA)" <ji...@apache.org> on 2016/07/05 16:13:11 UTC
[jira] [Commented] (CXF-6962) Basic auth uses UTF-8 for the encoded
password when it should use ISO-8859-1
[ https://issues.apache.org/jira/browse/CXF-6962?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15362698#comment-15362698 ]
Chris Dolphy commented on CXF-6962:
-----------------------------------
Can workaround this issue with a custom auth supplier that does:
public static String getBasicAuthHeader(String userName, String passwd) {
String userAndPass = userName + ":" + passwd;
try {
return "Basic " + Base64Utility.encode(userAndPass.getBytes("ISO-8859-1"));
} catch (java.io.UnsupportedEncodingException e) {
return "Basic " + Base64Utility.encode(userAndPass.getBytes());
}
}
and setting it with http.setAuthSupplier(new CustomBasicAuthSupplier());
> Basic auth uses UTF-8 for the encoded password when it should use ISO-8859-1
> ----------------------------------------------------------------------------
>
> Key: CXF-6962
> URL: https://issues.apache.org/jira/browse/CXF-6962
> Project: CXF
> Issue Type: Bug
> Affects Versions: 2.7.18, 3.1.6
> Reporter: Chris Dolphy
>
> Basic auth uses UTF-8 for the encoded password when it should use ISO-8859-1. Also (or instead), implement RFC 7617 which allows a server to indicate it does support UTF-8.
> The RFC that covers Basic authentication says that the authentication header contains base 64 encoded TEXT [1]. The TEXT format needs to be read under the HTTP specification [2] which says:
> The TEXT rule is only used for descriptive field contents and values
> that are not intended to be interpreted by the message parser. Words
> of *TEXT MAY contain characters from character sets other than ISO-
> 8859-1 [22] only when encoded according to the rules of RFC 2047
> [14].
> RFC 2047 describes an encoding method that embeds the encoded string in "=?" and "?=". But it appears no implementation of HTTP is doing this. Certainly no browser is doing this.
> [1] http://tools.ietf.org/html/rfc2617#section-2
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)