Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-7130840

not re-challenged when mis-enter the credentials if you select "Save this password in your passowrd"



    • b57
    • x86
    • windows_xp
    • Verified



        Normally if you are challenged for HTTP basic authentication and mis-enter the credentials, you are re-challenged. Recently discovered that at least in Java 7 Update 2 and Java 6 Update 30, this is not the case if you select the "Save this password in your password list" checkbox.

        Not expect this checkbox to prevent the user from being re-challenged if the credentials are not accepted. Certainly browsers don't behave that way for a similar checkbox.

        Overall this causes confusion when deeper exceptions occur due to the failure of the credentials rather than the user simply being re-prompted for these credentials.

        Note that 'http://jessh0l.ptcnet.ptc.com/PDMLinkX22/servlet/WindchillAuthGW/wt.httpgw.HTTPAuthentication/login' requires HTTP basic authentication. I chose a URL not ending in a file extension as I know that for some (inexplicable) reason this particular Java Plug-In code has been influenced by this -- and this URL is actually the one our applet is having issues with.

        The applet is a very rudimentary 100% x 100% applet. Clicking on it will cause an attempt to open a URL connection and get the result status.

        If one enters the correct credentials, a 200 response is returned -- no suprise.

        If one enters incorrect credentials but leaves the "Save this password in your password list" checkbox unchecked, then you are immediately reprompted for the correct credentials. As long as you eventually enter the correct credential, a 200 response is returned.

        If one enters incorrect credentials *and* checks the "Save this password in your password list" checkbox, then the user is not prompted for the correct credentials and a 401 response is immediately returned. Subsequent attempts with the same applet in this or other browser sessions also do not prompt for correct credentials and result in immediate 401 responses. Removing the auth.dat file (or logging out at the OS level) resolves the issue.

        The expected behavior is that the credentials are only saved *if* they were correct. Otherwise one should instead by re-prompted for correct credentials.


          Issue Links



                herrick Andy Herrick (Inactive)
                tyao Ting-Yun Ingrid Yao (Inactive)
                0 Vote for this issue
                4 Start watching this issue