Code Review 6947917: Error in basic authentication when user name and password are long
Chris Hegarty
chris.hegarty at oracle.com
Thu May 6 09:21:22 PDT 2010
Michael,
A minor change to the encoder used for Basic Authentication.
Webrev:
http://cr.openjdk.java.net/~chegar/6947917/webrev.00/webrev/
The Basic Authentication implementation,
sun.net.www.protocol.http.BasicAuthentication, uses a
sun.misc.BASE64Encoder to encode the Authentication headers field value.
The sun.misc.BASE64Encoder class encodes 57 bytes per line. This results
in a maximum of 57/3 * 4, or 76, characters per output line (not
counting the line termination) before writing a LineSuffix, i.e. a
newline character.
With long long usernames and/or passwords it is possible to generate a
header value with more than 76 characters, therefore causing a newline
character to be returned as part of the header value. This violates the
HTTP spec for Message Headers, which states that "Header fields can be
extended over multiple lines by preceding each extra line with at least
one SP or HT.".
We should increase the number of bytes per line for the encoder used for
Basic Authentication, similar to what is done in NegotiateAuthentication.
-Chris.
More information about the net-dev
mailing list