Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8276228

com.sun.net.httpserver.BasicAuthenticator should check whether "realm" is a quoted string

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Approved
    • Icon: P4 P4
    • 18
    • core-libs
    • None
    • behavioral
    • minimal
    • This change solely prohibits cases that violate the specification, which should be rare. As such no adverse effects are anticipated.
    • Java API
    • JDK

      Summary

      The com.sun.net.httpserver.BasicAuthenticator uses the passed realm string without checking that it adheres to the specification of quoted-string, as defined in RFC 7230. Such a check is added to the implementation, which now throws an (already declared) IllegalArgumentException if it fails. The API doc is updated accordingly.

      Problem

      The value of the basic authentication realm passed to a BasicAuthenticor instance is embedded into a quoted string. The BasicAuthenticator embeds the string directly in the WWW-Authenticate challenge, without checking that it adheres to the quoted-string format.

      Solution

      A check is executed at construction to test if the realm string can be embedded in a quoted string without requiring further quoting. If this is not the case, an IllegalArgumentException is thrown. The API doc of the two constructors is updated to reflect this.

      Specification

      in jdk.httpserver/com.sun.net.httpserver.BasicAuthenticator:

           /**
      * The Basic authentication credentials (username and password) are decoded
      * using the platform's {@link Charset#defaultCharset() default character set}.
      *
+     * @apiNote The value of the {@code realm} parameter will be embedded in a
+     * quoted string.
+     *
      * @param realm the HTTP Basic authentication realm
      * @throws NullPointerException if realm is {@code null}
-     * @throws IllegalArgumentException if realm is an empty string
+     * @throws IllegalArgumentException if realm is an empty string or is not
+     *         correctly quoted, as specified in <a href="https://tools.ietf.org/html/rfc7230#section-3.2">
+     *         RFC 7230 section-3.2</a>. Note, any {@code \} character used for
+     *         quoting must itself be quoted in source code.
+
      */
-    public BasicAuthenticator (String realm) {
+    public BasicAuthenticator(String realm) {

     /**
      * Creates a {@code BasicAuthenticator} for the given HTTP realm and using the
      * given {@link Charset} to decode the Basic authentication credentials
      * (username and password).
      *
      * @apiNote {@code UTF-8} is the recommended charset because its usage is
      * communicated to the client, and therefore more likely to be used also
      * by the client.
+     * <p>The value of the {@code realm} parameter will be embedded in a quoted
+     * string.
      *
      * @param realm the HTTP Basic authentication realm
      * @param charset the {@code Charset} to decode incoming credentials from the client
      * @throws NullPointerException if realm or charset are {@code null}
-     * @throws IllegalArgumentException if realm is an empty string
+     * @throws IllegalArgumentException if realm is an empty string or is not
+     *         correctly quoted, as specified in <a href="https://tools.ietf.org/html/rfc7230#section-3.2">
+     *         RFC 7230 section-3.2</a>. Note, any {@code \} character used for
+     *         quoting must itself be quoted in source code.
      */
-    public BasicAuthenticator (String realm, Charset charset) {
+    public BasicAuthenticator(String realm, Charset charset) {

            jboes Julia Boes (Inactive)
            dfuchs Daniel Fuchs
            Daniel Fuchs
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: