-
Bug
-
Resolution: Incomplete
-
P4
-
None
-
8u121
-
x86_64
-
windows_7
FULL PRODUCT VERSION :
java version "1.8.0_121"
Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]
EXTRA RELEVANT SYSTEM CONFIGURATION :
Internet Explorer version 11.0.9600.18617
A DESCRIPTION OF THE PROBLEM :
The fix forJDK-7077220 allows Java Applets to read and use HttpOnly cookies when using Internet Explorer.
The problem is that it incorrectly forces a case-sensitive match when checking for the "HttpOnly" parameter in the Set-Cookie header. RFC 6265 states that the match should be case-insensitive.
https://tools.ietf.org/html/rfc6265#section-5.2.6
As such Java Applets can see this cookie:
Set-Cookie: test=test; HttpOnly
But cannot set this cookie:
Set-Cookie: test=test; HTTPOnly
This is causes an issue with CA's SiteMinder application which sends HttpOnly cookie's with "HTTPOnly", which works fine in browsers, but cannot be read by Java despite RFC 6265 stating that it should work.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Run Test Java Applet in IE
2. Click Test button
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Expected output (in the text box next to the "Test" button):
put: {Set-Cookie=[FOO=BAR;HTTPOnly, ABC=XYZ]}
got: {Cookie=[FOO=BAR, ABC=XYZ]}
ACTUAL -
Actual output:
put: {Set-Cookie=[FOO=BAR;HTTPOnly, ABC=XYZ]}
got: {Cookie=[ABC=XYZ]}
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
This is the same code as from JDK-707220 with the only change being that the "HttpOnly" text was changed to "HTTPOnly":
public class CookieTest extends JApplet {
private JTextArea textArea;
@Override
public void init() {
try {
SwingUtilities.invokeAndWait(new Runnable() {
@Override public void run() {
setLayout(new BorderLayout());
JButton button = new JButton("Test");
button.addActionListener(new ActionListener() {
@Override public void actionPerformed(ActionEvent e) {
test();
}
});
add(button, BorderLayout.NORTH);
textArea = new JTextArea();
add(textArea, BorderLayout.CENTER);
}
});
} catch (Exception e) {
System.err.println("createGUI didn't complete successfully");
}
}
private void test() {
try {
CookieHandler handler = CookieHandler.getDefault();
URI uri = new URI("https://www.google.com/accounts/ServiceLogin");
Map<String, List<String>> headers =
new HashMap<String, List<String>>();
headers.put("Set-Cookie", Arrays.asList(
"FOO=BAR;HTTPOnly","ABC=XYZ"));
handler.put(uri, headers);
textArea.append("put: " + headers + "\n");
headers = handler.get(uri, new HashMap<String, List<String>>());
textArea.append("got: " + headers + "\n");
} catch (Exception ex) {
textArea.setText("Error, consult Java console for more info");
ex.printStackTrace(System.err);
}
}
}
---------- END SOURCE ----------
java version "1.8.0_121"
Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]
EXTRA RELEVANT SYSTEM CONFIGURATION :
Internet Explorer version 11.0.9600.18617
A DESCRIPTION OF THE PROBLEM :
The fix for
The problem is that it incorrectly forces a case-sensitive match when checking for the "HttpOnly" parameter in the Set-Cookie header. RFC 6265 states that the match should be case-insensitive.
https://tools.ietf.org/html/rfc6265#section-5.2.6
As such Java Applets can see this cookie:
Set-Cookie: test=test; HttpOnly
But cannot set this cookie:
Set-Cookie: test=test; HTTPOnly
This is causes an issue with CA's SiteMinder application which sends HttpOnly cookie's with "HTTPOnly", which works fine in browsers, but cannot be read by Java despite RFC 6265 stating that it should work.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Run Test Java Applet in IE
2. Click Test button
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Expected output (in the text box next to the "Test" button):
put: {Set-Cookie=[FOO=BAR;HTTPOnly, ABC=XYZ]}
got: {Cookie=[FOO=BAR, ABC=XYZ]}
ACTUAL -
Actual output:
put: {Set-Cookie=[FOO=BAR;HTTPOnly, ABC=XYZ]}
got: {Cookie=[ABC=XYZ]}
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
This is the same code as from JDK-707220 with the only change being that the "HttpOnly" text was changed to "HTTPOnly":
public class CookieTest extends JApplet {
private JTextArea textArea;
@Override
public void init() {
try {
SwingUtilities.invokeAndWait(new Runnable() {
@Override public void run() {
setLayout(new BorderLayout());
JButton button = new JButton("Test");
button.addActionListener(new ActionListener() {
@Override public void actionPerformed(ActionEvent e) {
test();
}
});
add(button, BorderLayout.NORTH);
textArea = new JTextArea();
add(textArea, BorderLayout.CENTER);
}
});
} catch (Exception e) {
System.err.println("createGUI didn't complete successfully");
}
}
private void test() {
try {
CookieHandler handler = CookieHandler.getDefault();
URI uri = new URI("https://www.google.com/accounts/ServiceLogin");
Map<String, List<String>> headers =
new HashMap<String, List<String>>();
headers.put("Set-Cookie", Arrays.asList(
"FOO=BAR;HTTPOnly","ABC=XYZ"));
handler.put(uri, headers);
textArea.append("put: " + headers + "\n");
headers = handler.get(uri, new HashMap<String, List<String>>());
textArea.append("got: " + headers + "\n");
} catch (Exception ex) {
textArea.setText("Error, consult Java console for more info");
ex.printStackTrace(System.err);
}
}
}
---------- END SOURCE ----------
