[9] RFR: 8138990: Implementation of HTTP Digest authentication may be more flexible
Michael McMahon
michael.x.mcmahon at oracle.com
Tue Dec 22 13:59:05 UTC 2015
Hi Artem,
On 04/12/15 11:41, Artem Smotrakov wrote:
> Hello,
>
> Please review this small fix for DigestAuthentication class.
>
> 1. Added a check in DigestAuthentication.setNonce(String) that nonce
> is not null. NPE may happen if a buggy HTTP server returns
> "WWW-Authenticate" header which doesn't contain a "nonce" field.
> According to RFCs 2069 [1] and 2617 [2], this is not expected
> behaviour, but it would be better if an HTTP client threw a checked
> IOException instead of NPE.
>
That's fine.
> 2. Updated DigestAuthentication.setQop(String) method to accept both a
> whitespace and a comma as a delimiter. RFC 2617 [2] says that "qop"
> may contain more than one token, but it doesn't specify a delimiter
> for "qop" field in "WWW-Authenticate" header. There is an example of
> "WWW-Authenticate" header in RFC 2617 [2] where a comma is used as a
> delimiter of value in "qop" field.
>
It looks like the BNF specification mandates a comma and optional linear
white space.
So, the old code was buggy, but we didn't see the problem because there
is typically
only at most ever one value used for the qop field. But, to be strictly
correct, we would
have to check for TABs also. So, I think the correct behavior is to
delimit using comma
and remove any white space
- Michael.
> 3. Added a test for Digest authentication.
>
> Bug: https://bugs.openjdk.java.net/browse/JDK-8138990
> Webrev: http://cr.openjdk.java.net/~asmotrak/http_auth_digest/webrev.00/
>
> [1] https://tools.ietf.org/html/rfc2069
> [2] https://tools.ietf.org/html/rfc2617
>
> Artem
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/net-dev/attachments/20151222/55ea7c51/attachment.html>
More information about the net-dev
mailing list