RFR: 8275534: com.sun.net.httpserver.BasicAuthenticator should check whether "realm" is a quoted string
Michael McMahon
michaelm at openjdk.java.net
Wed Oct 27 08:23:12 UTC 2021
On Tue, 26 Oct 2021 12:46:31 GMT, Julia Boes <jboes at openjdk.org> wrote:
> This change ensures that the realm string passed to the BasicAuthenticator constructor is a quoted-string, as per RFC7230 [1]. A Utils class is added to jdk.httpserver/sun.net.httpserver that holds the new isQuotedString() method and the pre-existing isValidName() method (previously in ServerImpl.)
> Two tests are included:
> - BasicAuthenticatorRealm.java to check that Latin-1 chars in the realm string are transported correctly,
> - BasicAuthenticatorExceptionCheck.java to check realm strings with escaped quotes.
>
> Testing: tier 1-3.
>
> [1] https://datatracker.ietf.org/doc/html/rfc7230
Changes requested by michaelm (Reviewer).
src/jdk.httpserver/share/classes/com/sun/net/httpserver/BasicAuthenticator.java line 56:
> 54: * realm string, it must be escaped by two preceding backslashes, for example
> 55: * {@code "foo\\\"bar\\\""} will be embedded as {@code "foo\"bar\""}.
> 56: *
I'm not sure the point really warrants an API note like this. I think the specification is clear enough from the @throws clause.
src/jdk.httpserver/share/classes/com/sun/net/httpserver/BasicAuthenticator.java line 77:
> 75: * <p>Where a backslash ("\") is used as quoting mechanism within the realm
> 76: * string, it must be escaped by two preceding backslashes, for example
> 77: * {@code "foo\\\"bar\\\""} will be embedded as {@code "foo\"bar\""}.
Same point as above
-------------
PR: https://git.openjdk.java.net/jdk/pull/6117
More information about the net-dev
mailing list