P4 Description
FULL PRODUCT VERSION :
java version "1.8.0_60"
Java(TM) SE Runtime Environment (build 1.8.0_60-b27)
Java HotSpot(TM) 64-Bit Server VM (build 25.60-b23, mixed mode)
a cross check with the source of the Java 9 repository shows that it is also not fixed there.
ADDITIONAL OS VERSION INFORMATION :
Linux mclane 4.2.0-18-generic #22-Ubuntu SMP Fri Nov 6 18:25:50 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
however, does not matter
A DESCRIPTION OF THE PROBLEM :
I have discovered a minor protocol violation. The class com.sun.net.httpserver.BasicAuthenticator tests the HTTP field "Authorization" for the token "Basic". This is done in a case sensitive manner, i.e. must be exactly an uppercase "B" and lowercase "asic". However, according to RFC 7235, this must be done in a case-insensitive manner:
> 2.1. Challenge and Response
>
> HTTP provides a simple challenge-response authentication framework
> that can be used by a server to challenge a client request and by a
> client to provide authentication information. It uses a case-
> insensitive token as a means to identify the authentication scheme,
> followed by additional information necessary for achieving
> authentication via that scheme. [...]
The erroneous code fragment is the following:
public Result authenticate (HttpExchange t)
{
Headers rmap = t.getRequestHeaders();
/*
* look for auth token
*/
String auth = rmap.getFirst ("Authorization");
if (auth == null) {
Headers map = t.getResponseHeaders();
map.set ("WWW-Authenticate", "Basic realm=" + "\""+realm+"\"");
return new Authenticator.Retry (401);
}
int sp = auth.indexOf (' ');
if (sp == -1 || !auth.substring(0, sp).equals ("Basic")) {
^^^^^^^^^^^^^^^^^
return new Authenticator.Failure (401);
}
should be .equalsIgnoreCase ("basic")
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
ensuring that the client sends the "Basic" token exactly as the faulty implementation expects.
java version "1.8.0_60"
Java(TM) SE Runtime Environment (build 1.8.0_60-b27)
Java HotSpot(TM) 64-Bit Server VM (build 25.60-b23, mixed mode)
a cross check with the source of the Java 9 repository shows that it is also not fixed there.
ADDITIONAL OS VERSION INFORMATION :
Linux mclane 4.2.0-18-generic #22-Ubuntu SMP Fri Nov 6 18:25:50 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
however, does not matter
A DESCRIPTION OF THE PROBLEM :
I have discovered a minor protocol violation. The class com.sun.net.httpserver.BasicAuthenticator tests the HTTP field "Authorization" for the token "Basic". This is done in a case sensitive manner, i.e. must be exactly an uppercase "B" and lowercase "asic". However, according to RFC 7235, this must be done in a case-insensitive manner:
> 2.1. Challenge and Response
>
> HTTP provides a simple challenge-response authentication framework
> that can be used by a server to challenge a client request and by a
> client to provide authentication information. It uses a case-
> insensitive token as a means to identify the authentication scheme,
> followed by additional information necessary for achieving
> authentication via that scheme. [...]
The erroneous code fragment is the following:
public Result authenticate (HttpExchange t)
{
Headers rmap = t.getRequestHeaders();
/*
* look for auth token
*/
String auth = rmap.getFirst ("Authorization");
if (auth == null) {
Headers map = t.getResponseHeaders();
map.set ("WWW-Authenticate", "Basic realm=" + "\""+realm+"\"");
return new Authenticator.Retry (401);
}
int sp = auth.indexOf (' ');
if (sp == -1 || !auth.substring(0, sp).equals ("Basic")) {
^^^^^^^^^^^^^^^^^
return new Authenticator.Failure (401);
}
should be .equalsIgnoreCase ("basic")
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
ensuring that the client sends the "Basic" token exactly as the faulty implementation expects.
