-
Bug
-
Resolution: Fixed
-
P4
-
5.0, 6u15
-
b94
-
x86
-
linux, windows_xp
-
Verified
FULL PRODUCT VERSION :
java version "1.6.0_15"
Java(TM) SE Runtime Environment (build 1.6.0_15-b03)
Java HotSpot(TM) 64-Bit Server VM (build 14.1-b02, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Linux 2.6.31-20-generic #58-Ubuntu SMP Fri Mar 12 04:38:19 UTC 2010 x86_64 GNU/Linux
A DESCRIPTION OF THE PROBLEM :
When using java.net.Authenticator and java.net.PasswordAuthentication to set Basic Authentication credentials for a java.net.HttpURLConnection, you will get a error if the combined username and password are too long. This requires that the site being connected to is returning a rejection to facilitate Basic Authentication.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Set up a site that sends rejections similar to:
HttpServletResponse response;
response.setHeader("WWW-Authenticate", "Basic realm=\"Test\"");
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
and then run this class:
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The client should get a rejection from the server to initiate basic authentication and then the client should send this as a header:
Basic UGFzc3dvcmRJc0F1dGhUb2tlbjphYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFh
ACTUAL -
The client gets the rejection to initiate basic authentication and then it generates a illegal HTTP header that line wraps but does not begin the next line with a space or tab.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Exception in thread "main" java.lang.RuntimeException: java.lang.IllegalArgumentException: Illegal character(s) in message header value: Basic UGFzc3dvcmRJc0F1dGhUb2tlbjphYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFh
YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFh
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:930)
at sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:2031)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:376)
at Main.main(Main.java:21)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.net.Authenticator;
import java.net.HttpURLConnection;
import java.net.PasswordAuthentication;
import java.net.URL;
public class Main {
public static void main(String[] args)
throws Exception {
Authenticator.setDefault(new Authenticator() {
protected PasswordAuthentication getPasswordAuthentication() {
Thread.dumpStack();
return new PasswordAuthentication("PasswordIsAuthToken",
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa".toCharArray());
}
});
URL url = new URL("http://localhost:8080");
HttpURLConnection urlConnection = (HttpURLConnection)url.openConnection();
try {
System.out.println("response code: " + urlConnection.getResponseCode());
}
finally {
urlConnection.disconnect();
}
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Only known workaround is to use a 3rd party library for URL connections such as HttpClient.
java version "1.6.0_15"
Java(TM) SE Runtime Environment (build 1.6.0_15-b03)
Java HotSpot(TM) 64-Bit Server VM (build 14.1-b02, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Linux 2.6.31-20-generic #58-Ubuntu SMP Fri Mar 12 04:38:19 UTC 2010 x86_64 GNU/Linux
A DESCRIPTION OF THE PROBLEM :
When using java.net.Authenticator and java.net.PasswordAuthentication to set Basic Authentication credentials for a java.net.HttpURLConnection, you will get a error if the combined username and password are too long. This requires that the site being connected to is returning a rejection to facilitate Basic Authentication.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Set up a site that sends rejections similar to:
HttpServletResponse response;
response.setHeader("WWW-Authenticate", "Basic realm=\"Test\"");
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
and then run this class:
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The client should get a rejection from the server to initiate basic authentication and then the client should send this as a header:
Basic UGFzc3dvcmRJc0F1dGhUb2tlbjphYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFh
ACTUAL -
The client gets the rejection to initiate basic authentication and then it generates a illegal HTTP header that line wraps but does not begin the next line with a space or tab.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Exception in thread "main" java.lang.RuntimeException: java.lang.IllegalArgumentException: Illegal character(s) in message header value: Basic UGFzc3dvcmRJc0F1dGhUb2tlbjphYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFh
YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFh
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:930)
at sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:2031)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:376)
at Main.main(Main.java:21)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.net.Authenticator;
import java.net.HttpURLConnection;
import java.net.PasswordAuthentication;
import java.net.URL;
public class Main {
public static void main(String[] args)
throws Exception {
Authenticator.setDefault(new Authenticator() {
protected PasswordAuthentication getPasswordAuthentication() {
Thread.dumpStack();
return new PasswordAuthentication("PasswordIsAuthToken",
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa".toCharArray());
}
});
URL url = new URL("http://localhost:8080");
HttpURLConnection urlConnection = (HttpURLConnection)url.openConnection();
try {
System.out.println("response code: " + urlConnection.getResponseCode());
}
finally {
urlConnection.disconnect();
}
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Only known workaround is to use a 3rd party library for URL connections such as HttpClient.
- duplicates
-
-
- Closed
-