You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2017/09/01 19:51:42 UTC
svn commit: r1807004 - in /tomcat/trunk:
java/org/apache/catalina/authenticator/
test/org/apache/catalina/authenticator/ webapps/docs/ webapps/docs/config/
Author: markt
Date: Fri Sep 1 19:51:42 2017
New Revision: 1807004
URL: http://svn.apache.org/viewvc?rev=1807004&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=61280
Add RFC 7617 support to the BasicAuthenticator
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java
tomcat/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties
tomcat/trunk/test/org/apache/catalina/authenticator/TestBasicAuthParser.java
tomcat/trunk/webapps/docs/changelog.xml
tomcat/trunk/webapps/docs/config/valve.xml
Modified: tomcat/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java?rev=1807004&r1=1807003&r2=1807004&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java (original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java Fri Sep 1 19:51:42 2017
@@ -20,6 +20,7 @@ package org.apache.catalina.authenticato
import java.io.IOException;
+import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.security.Principal;
@@ -43,10 +44,30 @@ import org.apache.tomcat.util.codec.bina
* @author Craig R. McClanahan
*/
public class BasicAuthenticator extends AuthenticatorBase {
+
private static final Log log = LogFactory.getLog(BasicAuthenticator.class);
+ private Charset charset = StandardCharsets.UTF_8;
+ private String charsetString = "UTF-8";
+
+
+ public String getCharset() {
+ return charsetString;
+ }
+
+
+ public void setCharset(String charsetString) {
+ // Only acceptable options are null, "" or "UTF-8" (case insensitive)
+ if (charsetString == null || charsetString.isEmpty()) {
+ charset = StandardCharsets.ISO_8859_1;
+ } else if ("UTF-8".equalsIgnoreCase(charsetString)) {
+ charset = StandardCharsets.UTF_8;
+ } else {
+ throw new IllegalArgumentException(sm.getString("basicAuthenticator.invalidCharset"));
+ }
+ this.charsetString = charsetString;
+ }
- // --------------------------------------------------------- Public Methods
@Override
protected boolean doAuthenticate(Request request, HttpServletResponse response)
@@ -66,7 +87,7 @@ public class BasicAuthenticator extends
ByteChunk authorizationBC = authorization.getByteChunk();
BasicCredentials credentials = null;
try {
- credentials = new BasicCredentials(authorizationBC);
+ credentials = new BasicCredentials(authorizationBC, charset);
String username = credentials.getUsername();
String password = credentials.getPassword();
@@ -89,6 +110,10 @@ public class BasicAuthenticator extends
value.append("Basic realm=\"");
value.append(getRealmName(context));
value.append('\"');
+ if (charsetString != null && !charsetString.isEmpty()) {
+ value.append(", charset=");
+ value.append(charsetString);
+ }
response.setHeader(AUTH_HEADER_NAME, value.toString());
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return false;
@@ -112,28 +137,31 @@ public class BasicAuthenticator extends
// note: we include single white space as its delimiter
private static final String METHOD = "basic ";
- private ByteChunk authorization;
- private int initialOffset;
+ private final Charset charset;
+ private final ByteChunk authorization;
+ private final int initialOffset;
private int base64blobOffset;
private int base64blobLength;
private String username = null;
private String password = null;
-
/**
* Parse the HTTP Authorization header for BASIC authentication
* as per RFC 2617 section 2, and the Base64 encoded credentials
* as per RFC 2045 section 6.8.
*
- * @param input The header value to parse in-place
+ * @param input The header value to parse in-place
+ * @param charset The character set to use to convert the bytes to a
+ * string
*
* @throws IllegalArgumentException If the header does not conform
* to RFC 2617
*/
- public BasicCredentials(ByteChunk input)
- throws IllegalArgumentException {
+ public BasicCredentials(ByteChunk input, Charset charset) throws IllegalArgumentException {
authorization = input;
initialOffset = input.getOffset();
+ this.charset = charset;
+
parseMethod();
byte[] decoded = parseBase64();
parseCredentials(decoded);
@@ -210,15 +238,12 @@ public class BasicAuthenticator extends
}
if (colon < 0) {
- username = new String(decoded, StandardCharsets.ISO_8859_1);
+ username = new String(decoded, charset);
// password will remain null!
}
else {
- username = new String(
- decoded, 0, colon, StandardCharsets.ISO_8859_1);
- password = new String(
- decoded, colon + 1, decoded.length - colon - 1,
- StandardCharsets.ISO_8859_1);
+ username = new String(decoded, 0, colon, charset);
+ password = new String(decoded, colon + 1, decoded.length - colon - 1, charset);
// tolerate surplus white space around credentials
if (password.length() > 1) {
password = password.trim();
Modified: tomcat/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties?rev=1807004&r1=1807003&r2=1807004&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties (original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties Fri Sep 1 19:51:42 2017
@@ -32,6 +32,8 @@ authenticator.sessionExpired=The time al
authenticator.unauthorized=Cannot authenticate with the provided credentials
authenticator.tomcatPrincipalLogoutFail=Logout with TomcatPrincipal instance has failed
+basicAuthenticator.invalidCharset=The only permitted values are null, the empty string or UTF-8
+
digestAuthenticator.cacheRemove=A valid entry has been removed from client nonce cache to make room for new entries. A replay attack is now possible. To prevent the possibility of replay attacks, reduce nonceValidity or increase cnonceCacheSize. Further warnings of this type will be suppressed for 5 minutes.
formAuthenticator.forwardErrorFail=Unexpected error forwarding to error page
Modified: tomcat/trunk/test/org/apache/catalina/authenticator/TestBasicAuthParser.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/authenticator/TestBasicAuthParser.java?rev=1807004&r1=1807003&r2=1807004&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/catalina/authenticator/TestBasicAuthParser.java (original)
+++ tomcat/trunk/test/org/apache/catalina/authenticator/TestBasicAuthParser.java Fri Sep 1 19:51:42 2017
@@ -45,7 +45,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, USER_NAME, PASSWORD);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader());
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_NAME, credentials.getUsername());
Assert.assertEquals(PASSWORD, credentials.getPassword());
}
@@ -56,7 +56,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, USER_NAME, null);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader());
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_NAME, credentials.getUsername());
Assert.assertNull(credentials.getPassword());
}
@@ -68,7 +68,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, BASE64_CRIB);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader());
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_NAME, credentials.getUsername());
Assert.assertEquals(PASSWORD, credentials.getPassword());
}
@@ -80,7 +80,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, BASE64_CRIB);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader());
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_NAME, credentials.getUsername());
Assert.assertNull(credentials.getPassword());
}
@@ -93,7 +93,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, BASE64_CRIB);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader());
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_NAME, credentials.getUsername());
Assert.assertEquals(PASSWORD1, credentials.getPassword());
}
@@ -119,7 +119,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, BASE64_CRIB);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader());
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_LONG, credentials.getUsername());
}
@@ -141,7 +141,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, BASE64_CRIB);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader());
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_LONG, credentials.getUsername());
}
@@ -157,7 +157,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(METHOD, USER_NAME, PASSWORD);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader());
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_NAME, credentials.getUsername());
Assert.assertEquals(PASSWORD, credentials.getPassword());
}
@@ -174,7 +174,7 @@ public class TestBasicAuthParser {
BasicAuthenticator.BasicCredentials credentials = null;
try {
credentials = new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader());
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.fail("IllegalArgumentException expected");
}
catch (Exception e) {
@@ -197,7 +197,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD + " ", USER_NAME, PASSWORD);
final BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader());
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_NAME, credentials.getUsername());
Assert.assertEquals(PASSWORD, credentials.getPassword());
}
@@ -213,7 +213,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, USER_NAME, PWD_WRONG);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader());
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_NAME, credentials.getUsername());
Assert.assertNotSame(PASSWORD, credentials.getPassword());
}
@@ -225,7 +225,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, EMPTY_USER_NAME, PASSWORD);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader());
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(EMPTY_USER_NAME, credentials.getUsername());
Assert.assertEquals(PASSWORD, credentials.getPassword());
}
@@ -237,7 +237,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, SHORT_USER_NAME, PASSWORD);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader());
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(SHORT_USER_NAME, credentials.getUsername());
Assert.assertEquals(PASSWORD, credentials.getPassword());
}
@@ -249,7 +249,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, USER_NAME, SHORT_PASSWORD);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader());
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_NAME, credentials.getUsername());
Assert.assertEquals(SHORT_PASSWORD, credentials.getPassword());
}
@@ -261,7 +261,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, USER_NAME, PASSWORD_SPACE);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader());
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_NAME, credentials.getUsername());
Assert.assertEquals(PASSWORD_SPACE, credentials.getPassword());
}
@@ -273,7 +273,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, USER_NAME, PASSWORD_COLON);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader());
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_NAME, credentials.getUsername());
Assert.assertEquals(PASSWORD_COLON, credentials.getPassword());
}
@@ -285,7 +285,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, USER_NAME, PASSWORD_COLON);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader());
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_NAME, credentials.getUsername());
Assert.assertEquals(PASSWORD_COLON, credentials.getPassword());
}
@@ -297,7 +297,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, USER_NAME, PASSWORD_COLON);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader());
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_NAME, credentials.getUsername());
Assert.assertEquals(PASSWORD_COLON, credentials.getPassword());
}
@@ -315,7 +315,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, USER_NAME, PASSWORD, " ");
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader());
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_NAME, credentials.getUsername());
Assert.assertEquals(PASSWORD, credentials.getPassword());
}
@@ -334,7 +334,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, " " + USER_NAME + " ", PASSWORD);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader());
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_NAME, credentials.getUsername());
Assert.assertEquals(PASSWORD, credentials.getPassword());
}
@@ -353,7 +353,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, USER_NAME, " " + PASSWORD + " ");
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader());
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_NAME, credentials.getUsername());
Assert.assertEquals(PASSWORD, credentials.getPassword());
}
@@ -378,7 +378,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, BASE64_CRIB);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader());
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_NAME, credentials.getUsername());
Assert.assertNotSame(PASSWORD, credentials.getPassword());
Assert.assertEquals(TRUNCATED_PWD, credentials.getPassword());
@@ -396,7 +396,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, BASE64_CRIB);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader());
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_NAME, credentials.getUsername());
Assert.assertNotSame(PASSWORD, credentials.getPassword());
}
@@ -416,7 +416,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, BASE64_CRIB);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader());
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_NAME, credentials.getUsername());
Assert.assertEquals(POSSIBLY_DAMAGED_PWD, credentials.getPassword());
}
@@ -433,7 +433,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, BASE64_CRIB);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader());
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_NAME, credentials.getUsername());
Assert.assertEquals(PASSWORD, credentials.getPassword());
}
@@ -452,7 +452,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, BASE64_CRIB);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader());
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_NAME, credentials.getUsername());
Assert.assertEquals(PASSWORD, credentials.getPassword());
}
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1807004&r1=1807003&r2=1807004&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Fri Sep 1 19:51:42 2017
@@ -77,6 +77,10 @@
added in Java 9 to only disable the caching for JAR URL connections.
(markt)
</add>
+ <add>
+ <bug>61280</bug>: Add RFC 7617 support to the
+ <code>BasicAuthenticator</code>. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Coyote">
Modified: tomcat/trunk/webapps/docs/config/valve.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/valve.xml?rev=1807004&r1=1807003&r2=1807004&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/valve.xml (original)
+++ tomcat/trunk/webapps/docs/config/valve.xml Fri Sep 1 19:51:42 2017
@@ -1098,6 +1098,19 @@
used.</p>
</attribute>
+ <attribute name="charset" required="false">
+ <p>Controls if the <code>WWW-Authenticate</code> HTTP header includes a
+ <code>charset</code> authentication parameter as per RFC 7617. The only
+ permitted options are <code>null</code>, the empty string and
+ <code>UTF-8</code>. If <code>UTF-8</code> is specified then the
+ <code>charset</code> authentication parameter will be sent with that
+ value and the provided user name and optional password will be converted
+ from bytes to characters using UTF-8. Otherwise, no <code>charset</code>
+ authentication parameter will be sent and the provided user name and
+ optional password will be converted from bytes to characters using
+ ISO-8859-1. The default value is <code>UTF-8</code></p>
+ </attribute>
+
<attribute name="className" required="true">
<p>Java class name of the implementation to use. This MUST be set to
<strong>org.apache.catalina.authenticator.BasicAuthenticator</strong>.</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1807004 - in /tomcat/trunk:
java/org/apache/catalina/authenticator/
test/org/apache/catalina/authenticator/ webapps/docs/ webapps/docs/config/
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 9/1/17 4:18 PM, Mark Thomas wrote:
> On 01/09/17 20:51, markt@apache.org wrote:
>> Author: markt Date: Fri Sep 1 19:51:42 2017 New Revision:
>> 1807004
>>
>> URL: http://svn.apache.org/viewvc?rev=1807004&view=rev Log: Fix
>> https://bz.apache.org/bugzilla/show_bug.cgi?id=61280 Add RFC 7617
>> support to the BasicAuthenticator
>
> I'd like to back-port this but before I do I wanted to get some
> feedback on the default.
>
> The options are:
>
> a) UTF-8 (the default for 9.0.x)
>
> b) "" or null (the current behaviour)
>
> The advantage of a) is that we'll support i18n user names and
> passwords out of the box (assuming the browser does).
>
> The disadvantage of a) is that we'll break authentication for any
> user name or password using ISO-8859-1 characters in the 128-255
> range where the browser uses ISO-8859-1 by default and doesn't
> support RFC 7617.
>
> A quick test suggests that this varies between browsers.
>
> Chrome appears to use UTF-8 by default. I can't tell if Chrome
> supports RFC 7617 since it always uses UTF-8.
>
> Firefox appears to use ISO-8859-1 by default. It also appears that
> Firefox doesn't support RFC 7617.
>
> IE is the same as Firefox.
>
> Hmm. This is a lot messier than I thought it would be. Given what I
> have observed, there is no combination I can see that will allow
> BASIC auth to work with a user name or password that contains non
> ASCII characters with both IE, Firefox and Chrome.
>
> Thoughts?
In general, I'd say that UTF-8 should be the default for everything
moving forward. So, for back-porting to 8.5, UTF-8 should be the
default. But for 8.0, we should probably use ""/null.
OTOH, we had conversations about 8.5 being as easy possible as a
drop-in replacement for 8.0, and using UTF-8 would therefore hamper
that goal.
Maybe we should be ""/null for all backports, and let 9.0 only be
UTF-8 (by default, of course).
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJZqxKnAAoJEBzwKT+lPKRYru0P/3ZbURp8BNBEkD5VQDU+dm24
+UeXRje0gchqqbSwL1Xaao02hEU/4x8oaV7/PldlcFlYoNFgmwlw0wjcJXq63YO8
9ygg24JMhv88GO5tkp7iiuBoQwVmdMA3mrMPqORIQ4U5CSyFdwtS1gbhXNYHW96X
fCCKxvy+abhDMUX+IqteXCuYGdlbTiwoReLVBSUfLGGUBNPHUB3VwCiKi/CC3GE3
dgv9FaSFLR2R/g6jV6JNB5E3xggD+n2UXCyQ3fO6yA3fwJGBNg26xrWxNnaleu+i
J16OVUpyb0s/nMztuqmd6O1AoBMGwp9kb16G0G2XH3p950UOi7upcO8Ysdz9SCHi
qBuCbj/YK9VzxGk64gxcnCmJgiAkxxktqpa+q31qQy5rfolJs6xz7I6hmE4pOsN2
Ks7Ob0uLs1uN93bzES/vH7VEQ3JJcOYrTGSt97ZnMv0lI4fDoZlZFWoEn0RbsQCl
GOIB3yd6xILlNKzjiibz6TIQZepszNBmJUB1T11/zTw6vKoL4CQVcXm5spZXX5SF
JkWkoMonbFhSpoi7LzB4/guO10HGXfaemMP6Kg9R7tH+LuXzc4wiOmV2poAGDlqB
dnMd4oQJBceYtm2fmbAtHtcaxvYtD+hEeutPm/B5aWEkgmoiKwVM5cbz729j61RN
MbNZ4JE6SfbS0e5vDUrb
=jG5+
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1807004 - in /tomcat/trunk: java/org/apache/catalina/authenticator/
test/org/apache/catalina/authenticator/ webapps/docs/ webapps/docs/config/
Posted by Rémy Maucherat <re...@apache.org>.
On Mon, Sep 4, 2017 at 11:07 AM, Mark Thomas <ma...@apache.org> wrote:
> On 04/09/17 06:25, Rémy Maucherat wrote:
> > On Fri, Sep 1, 2017 at 10:18 PM, Mark Thomas <ma...@apache.org> wrote:
> >
> >> On 01/09/17 20:51, markt@apache.org wrote:
> >>> Author: markt
> >>> Date: Fri Sep 1 19:51:42 2017
> >>> New Revision: 1807004
> >>>
> >>> URL: http://svn.apache.org/viewvc?rev=1807004&view=rev
> >>> Log:
> >>> Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=61280
> >>> Add RFC 7617 support to the BasicAuthenticator
> >>
> >> I'd like to back-port this but before I do I wanted to get some feedback
> >> on the default.
> >>
> >> The options are:
> >>
> >> a) UTF-8 (the default for 9.0.x)
> >>
> >> b) "" or null (the current behaviour)
> >>
> >> The advantage of a) is that we'll support i18n user names and passwords
> >> out of the box (assuming the browser does).
> >>
> >> The disadvantage of a) is that we'll break authentication for any user
> >> name or password using ISO-8859-1 characters in the 128-255 range where
> >> the browser uses ISO-8859-1 by default and doesn't support RFC 7617.
> >>
> >> A quick test suggests that this varies between browsers.
> >>
> >> Chrome appears to use UTF-8 by default. I can't tell if Chrome supports
> >> RFC 7617 since it always uses UTF-8.
> >>
> >> Firefox appears to use ISO-8859-1 by default. It also appears that
> >> Firefox doesn't support RFC 7617.
> >>
> >> IE is the same as Firefox.
> >>
> >> Hmm. This is a lot messier than I thought it would be. Given what I have
> >> observed, there is no combination I can see that will allow BASIC auth
> >> to work with a user name or password that contains non ASCII characters
> >> with both IE, Firefox and Chrome.
> >>
> >> Thoughts?
> >>
> >
> > Huuum, since this doesn't work properly yet, I think the default should
> > remain ISO-8859-1 in all cases for now.
>
> Fair enough. I'll change the default for 9.0.x and then back-port.
>
> We can revisit the default once (if?) the browsers implement RFC 7617.
>
+1 I think it's the most reasonable option.
Rémy
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
Re: svn commit: r1807004 - in /tomcat/trunk:
java/org/apache/catalina/authenticator/
test/org/apache/catalina/authenticator/ webapps/docs/ webapps/docs/config/
Posted by Mark Thomas <ma...@apache.org>.
On 04/09/17 06:25, Rémy Maucherat wrote:
> On Fri, Sep 1, 2017 at 10:18 PM, Mark Thomas <ma...@apache.org> wrote:
>
>> On 01/09/17 20:51, markt@apache.org wrote:
>>> Author: markt
>>> Date: Fri Sep 1 19:51:42 2017
>>> New Revision: 1807004
>>>
>>> URL: http://svn.apache.org/viewvc?rev=1807004&view=rev
>>> Log:
>>> Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=61280
>>> Add RFC 7617 support to the BasicAuthenticator
>>
>> I'd like to back-port this but before I do I wanted to get some feedback
>> on the default.
>>
>> The options are:
>>
>> a) UTF-8 (the default for 9.0.x)
>>
>> b) "" or null (the current behaviour)
>>
>> The advantage of a) is that we'll support i18n user names and passwords
>> out of the box (assuming the browser does).
>>
>> The disadvantage of a) is that we'll break authentication for any user
>> name or password using ISO-8859-1 characters in the 128-255 range where
>> the browser uses ISO-8859-1 by default and doesn't support RFC 7617.
>>
>> A quick test suggests that this varies between browsers.
>>
>> Chrome appears to use UTF-8 by default. I can't tell if Chrome supports
>> RFC 7617 since it always uses UTF-8.
>>
>> Firefox appears to use ISO-8859-1 by default. It also appears that
>> Firefox doesn't support RFC 7617.
>>
>> IE is the same as Firefox.
>>
>> Hmm. This is a lot messier than I thought it would be. Given what I have
>> observed, there is no combination I can see that will allow BASIC auth
>> to work with a user name or password that contains non ASCII characters
>> with both IE, Firefox and Chrome.
>>
>> Thoughts?
>>
>
> Huuum, since this doesn't work properly yet, I think the default should
> remain ISO-8859-1 in all cases for now.
Fair enough. I'll change the default for 9.0.x and then back-port.
We can revisit the default once (if?) the browsers implement RFC 7617.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1807004 - in /tomcat/trunk: java/org/apache/catalina/authenticator/
test/org/apache/catalina/authenticator/ webapps/docs/ webapps/docs/config/
Posted by Rémy Maucherat <re...@apache.org>.
On Fri, Sep 1, 2017 at 10:18 PM, Mark Thomas <ma...@apache.org> wrote:
> On 01/09/17 20:51, markt@apache.org wrote:
> > Author: markt
> > Date: Fri Sep 1 19:51:42 2017
> > New Revision: 1807004
> >
> > URL: http://svn.apache.org/viewvc?rev=1807004&view=rev
> > Log:
> > Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=61280
> > Add RFC 7617 support to the BasicAuthenticator
>
> I'd like to back-port this but before I do I wanted to get some feedback
> on the default.
>
> The options are:
>
> a) UTF-8 (the default for 9.0.x)
>
> b) "" or null (the current behaviour)
>
> The advantage of a) is that we'll support i18n user names and passwords
> out of the box (assuming the browser does).
>
> The disadvantage of a) is that we'll break authentication for any user
> name or password using ISO-8859-1 characters in the 128-255 range where
> the browser uses ISO-8859-1 by default and doesn't support RFC 7617.
>
> A quick test suggests that this varies between browsers.
>
> Chrome appears to use UTF-8 by default. I can't tell if Chrome supports
> RFC 7617 since it always uses UTF-8.
>
> Firefox appears to use ISO-8859-1 by default. It also appears that
> Firefox doesn't support RFC 7617.
>
> IE is the same as Firefox.
>
> Hmm. This is a lot messier than I thought it would be. Given what I have
> observed, there is no combination I can see that will allow BASIC auth
> to work with a user name or password that contains non ASCII characters
> with both IE, Firefox and Chrome.
>
> Thoughts?
>
Huuum, since this doesn't work properly yet, I think the default should
remain ISO-8859-1 in all cases for now.
Rémy
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
Re: svn commit: r1807004 - in /tomcat/trunk:
java/org/apache/catalina/authenticator/
test/org/apache/catalina/authenticator/ webapps/docs/ webapps/docs/config/
Posted by Mark Thomas <ma...@apache.org>.
On 01/09/17 20:51, markt@apache.org wrote:
> Author: markt
> Date: Fri Sep 1 19:51:42 2017
> New Revision: 1807004
>
> URL: http://svn.apache.org/viewvc?rev=1807004&view=rev
> Log:
> Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=61280
> Add RFC 7617 support to the BasicAuthenticator
I'd like to back-port this but before I do I wanted to get some feedback
on the default.
The options are:
a) UTF-8 (the default for 9.0.x)
b) "" or null (the current behaviour)
The advantage of a) is that we'll support i18n user names and passwords
out of the box (assuming the browser does).
The disadvantage of a) is that we'll break authentication for any user
name or password using ISO-8859-1 characters in the 128-255 range where
the browser uses ISO-8859-1 by default and doesn't support RFC 7617.
A quick test suggests that this varies between browsers.
Chrome appears to use UTF-8 by default. I can't tell if Chrome supports
RFC 7617 since it always uses UTF-8.
Firefox appears to use ISO-8859-1 by default. It also appears that
Firefox doesn't support RFC 7617.
IE is the same as Firefox.
Hmm. This is a lot messier than I thought it would be. Given what I have
observed, there is no combination I can see that will allow BASIC auth
to work with a user name or password that contains non ASCII characters
with both IE, Firefox and Chrome.
Thoughts?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org