The value of the basic authentication realm is defined by RFC 7617 as a free-form string - which therefore may contain quotes.
The BasicAuthenticator embeds the string directly in the WWW-Authenticate challenge, without escaping any quotes it may contain.
The API documentation of BasicAuthenticator should either be clarified, or its behavior changed to escape quotes before embedding the realm string in the WWW-Authenticate header value.
The BasicAuthenticator embeds the string directly in the WWW-Authenticate challenge, without escaping any quotes it may contain.
The API documentation of BasicAuthenticator should either be clarified, or its behavior changed to escape quotes before embedding the realm string in the WWW-Authenticate header value.
- csr for
-
JDK-8276228 com.sun.net.httpserver.BasicAuthenticator should check whether "realm" is a quoted string
-
- Closed
-
