[9] RFR: 8138990: Implementation of HTTP Digest authentication may be more flexible
Artem Smotrakov
artem.smotrakov at oracle.com
Fri Dec 4 11:41:38 UTC 2015
Hello,
Please review this small fix for DigestAuthentication class.
1. Added a check in DigestAuthentication.setNonce(String) that nonce is
not null. NPE may happen if a buggy HTTP server returns
"WWW-Authenticate" header which doesn't contain a "nonce" field.
According to RFCs 2069 [1] and 2617 [2], this is not expected behaviour,
but it would be better if an HTTP client threw a checked IOException
instead of NPE.
2. Updated DigestAuthentication.setQop(String) method to accept both a
whitespace and a comma as a delimiter. RFC 2617 [2] says that "qop" may
contain more than one token, but it doesn't specify a delimiter for
"qop" field in "WWW-Authenticate" header. There is an example of
"WWW-Authenticate" header in RFC 2617 [2] where a comma is used as a
delimiter of value in "qop" field.
3. Added a test for Digest authentication.
Bug: https://bugs.openjdk.java.net/browse/JDK-8138990
Webrev: http://cr.openjdk.java.net/~asmotrak/http_auth_digest/webrev.00/
[1] https://tools.ietf.org/html/rfc2069
[2] https://tools.ietf.org/html/rfc2617
Artem
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/net-dev/attachments/20151204/6821ca41/attachment.html>
More information about the net-dev
mailing list