Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8276228

com.sun.net.httpserver.BasicAuthenticator should check whether "realm" is a quoted string

    XMLWordPrintable

    Details

    • Type: CSR
    • Status: Closed
    • Priority: P4
    • Resolution: Approved
    • Fix Version/s: 18
    • Component/s: core-libs
    • Labels:
      None
    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      minimal
    • Compatibility Risk Description:
      This change solely prohibits cases that violate the specification, which should be rare. As such no adverse effects are anticipated.
    • Interface Kind:
      Java API
    • Scope:
      JDK

      Description

      Summary

      The com.sun.net.httpserver.BasicAuthenticator uses the passed realm string without checking that it adheres to the specification of quoted-string, as defined in RFC 7230. Such a check is added to the implementation, which now throws an (already declared) IllegalArgumentException if it fails. The API doc is updated accordingly.

      Problem

      The value of the basic authentication realm passed to a BasicAuthenticor instance is embedded into a quoted string. The BasicAuthenticator embeds the string directly in the WWW-Authenticate challenge, without checking that it adheres to the quoted-string format.

      Solution

      A check is executed at construction to test if the realm string can be embedded in a quoted string without requiring further quoting. If this is not the case, an IllegalArgumentException is thrown. The API doc of the two constructors is updated to reflect this.

      Specification

      in jdk.httpserver/com.sun.net.httpserver.BasicAuthenticator:

           /**
            * The Basic authentication credentials (username and password) are decoded
            * using the platform's {@link Charset#defaultCharset() default character set}.
            *
      +     * @apiNote The value of the {@code realm} parameter will be embedded in a
      +     * quoted string.
      +     *
            * @param realm the HTTP Basic authentication realm
            * @throws NullPointerException if realm is {@code null}
      -     * @throws IllegalArgumentException if realm is an empty string
      +     * @throws IllegalArgumentException if realm is an empty string or is not
      +     *         correctly quoted, as specified in <a href="https://tools.ietf.org/html/rfc7230#section-3.2">
      +     *         RFC 7230 section-3.2</a>. Note, any {@code \} character used for
      +     *         quoting must itself be quoted in source code.
      +
            */
      -    public BasicAuthenticator (String realm) {
      +    public BasicAuthenticator(String realm) {
      
           /**
            * Creates a {@code BasicAuthenticator} for the given HTTP realm and using the
            * given {@link Charset} to decode the Basic authentication credentials
            * (username and password).
            *
            * @apiNote {@code UTF-8} is the recommended charset because its usage is
            * communicated to the client, and therefore more likely to be used also
            * by the client.
      +     * <p>The value of the {@code realm} parameter will be embedded in a quoted
      +     * string.
            *
            * @param realm the HTTP Basic authentication realm
            * @param charset the {@code Charset} to decode incoming credentials from the client
            * @throws NullPointerException if realm or charset are {@code null}
      -     * @throws IllegalArgumentException if realm is an empty string
      +     * @throws IllegalArgumentException if realm is an empty string or is not
      +     *         correctly quoted, as specified in <a href="https://tools.ietf.org/html/rfc7230#section-3.2">
      +     *         RFC 7230 section-3.2</a>. Note, any {@code \} character used for
      +     *         quoting must itself be quoted in source code.
            */
      -    public BasicAuthenticator (String realm, Charset charset) {
      +    public BasicAuthenticator(String realm, Charset charset) {

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              jboes Julia Boes (Inactive)
              Reporter:
              dfuchs Daniel Fuchs
              Reviewed By:
              Daniel Fuchs
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: