Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8144100

Incorrect case-sensitive equality in com.sun.net.httpserver.BasicAuthenticator

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: P4 P4
    • 23
    • 8u65, 9
    • core-libs
    • b23
    • x86_64
    • linux
    • Verified

      FULL PRODUCT VERSION :
      java version "1.8.0_60"
      Java(TM) SE Runtime Environment (build 1.8.0_60-b27)
      Java HotSpot(TM) 64-Bit Server VM (build 25.60-b23, mixed mode)

      a cross check with the source of the Java 9 repository shows that it is also not fixed there.


      ADDITIONAL OS VERSION INFORMATION :
      Linux mclane 4.2.0-18-generic #22-Ubuntu SMP Fri Nov 6 18:25:50 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
      however, does not matter

      A DESCRIPTION OF THE PROBLEM :
      I have discovered a minor protocol violation. The class com.sun.net.httpserver.BasicAuthenticator tests the HTTP field "Authorization" for the token "Basic". This is done in a case sensitive manner, i.e. must be exactly an uppercase "B" and lowercase "asic". However, according to RFC 7235, this must be done in a case-insensitive manner:

      > 2.1. Challenge and Response
      >
      > HTTP provides a simple challenge-response authentication framework
      > that can be used by a server to challenge a client request and by a
      > client to provide authentication information. It uses a case-
      > insensitive token as a means to identify the authentication scheme,
      > followed by additional information necessary for achieving
      > authentication via that scheme. [...]

      The erroneous code fragment is the following:

       public Result authenticate (HttpExchange t)
          {
              Headers rmap = t.getRequestHeaders();
              /*
               * look for auth token
               */
              String auth = rmap.getFirst ("Authorization");
              if (auth == null) {
                  Headers map = t.getResponseHeaders();
                  map.set ("WWW-Authenticate", "Basic realm=" + "\""+realm+"\"");
                  return new Authenticator.Retry (401);
              }
              int sp = auth.indexOf (' ');
              if (sp == -1 || !auth.substring(0, sp).equals ("Basic")) {
                                                    ^^^^^^^^^^^^^^^^^
                  return new Authenticator.Failure (401);
              }

      should be .equalsIgnoreCase ("basic")




      REPRODUCIBILITY :
      This bug can be reproduced always.

      CUSTOMER SUBMITTED WORKAROUND :
      ensuring that the client sends the "Basic" token exactly as the faulty implementation expects.

            nbenalla Nizar Benalla
            webbuggrp Webbug Group
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: