RFR: 8144100: Incorrect case-sensitive equality in com.sun.net.httpserver.BasicAuthenticator
Jaikiran Pai
jpai at openjdk.org
Thu May 9 12:01:15 UTC 2024
On Wed, 8 May 2024 04:23:47 GMT, Nizar Benalla <duke at openjdk.org> wrote:
> Passes Tier 1-3
> Please review this change that aims to fix a bug when parsing the client's request.
>
> RFC 9110 states
>
>> 11. HTTP Authentication 11.1. Authentication Scheme
> HTTP provides a general framework for access control and authentication, via an extensible set of challenge-response authentication schemes, which can be used by a server to challenge a client request and by a client to provide authentication information. It uses a **case-insensitive** token to identify the authentication scheme:
> ```auth-scheme = token```
>
> But in `BasicAuthenticator#authenticate` it was done in a case sensitive manner
>
> TIA
test/jdk/com/sun/net/httpserver/BasicAuthToken.java line 28:
> 26: * @bug 8144100
> 27: * @run main/othervm BasicAuthToken
> 28: * @summary checking token sent by client should be done in case-insensitive manner
As a guideline, jtreg recommended order of test definition tags is here https://openjdk.org/jtreg/tag-spec.html#ORDER. As per that the `@summary` should follow the `@bug` before the `@run`.
test/jdk/com/sun/net/httpserver/BasicAuthToken.java line 58:
> 56: String realm = "someRealm";
> 57: ServerAuthenticator authenticator = new ServerAuthenticator(realm);
> 58: HttpServer server = HttpServer.create(new InetSocketAddress(0), 0);
Hello Nizar, we should use loopback address to bind the server to. That's the common practice we follow in our networking tests. So:
new InetSocketAddress(InetAddress.getLoopbackAddress(), 0)) ...
test/jdk/com/sun/net/httpserver/BasicAuthToken.java line 61:
> 59: server.createContext(someContext, exchange -> {
> 60: if (authenticator.authenticate(exchange) instanceof Authenticator.Failure) {
> 61: exchange.sendResponseHeaders(401, 0);
The second parameter here should be `-1` implying no response body. `0` implies chunked response.
test/jdk/com/sun/net/httpserver/BasicAuthToken.java line 65:
> 63: return;
> 64: }
> 65: exchange.sendResponseHeaders(200, 1);
Second parameter here should be `-1`. `1` implies the response will contain a body of 1 byte in length.
test/jdk/com/sun/net/httpserver/BasicAuthToken.java line 73:
> 71:
> 72: static void client(int port) throws Exception {
> 73: try (Socket socket = new Socket("localhost", port)) {
Once you change the server to bind to loopback address, the Socket creation should then use loopback address too: `new Socket(InetAddress.getLoopbackAddress(), port)`
test/jdk/com/sun/net/httpserver/BasicAuthToken.java line 89:
> 87: System.err.println(statusLine);
> 88:
> 89: if (statusLine.startsWith("HTTP/1.1 401")) {
It might be better to check that the status line is `200` and anything other than that should result in an exception from here.
test/jdk/com/sun/net/httpserver/BasicAuthToken.java line 97:
> 95:
> 96: static class ServerAuthenticator extends BasicAuthenticator {
> 97: ServerAuthenticator(String realm) {
Since this test relies on the authenticator being invoked, just as an additional check, you might want to have a boolean field in this class (named something like `invoked`) which will be set to `true` only when the `checkCredentials` gets called. Then after checking the response code in the test, you can additionally assert that this field's value is `true`, just to be certain that this authenticator was indeed invoked.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/19133#discussion_r1593895416
PR Review Comment: https://git.openjdk.org/jdk/pull/19133#discussion_r1593874356
PR Review Comment: https://git.openjdk.org/jdk/pull/19133#discussion_r1593886268
PR Review Comment: https://git.openjdk.org/jdk/pull/19133#discussion_r1593887118
PR Review Comment: https://git.openjdk.org/jdk/pull/19133#discussion_r1593896857
PR Review Comment: https://git.openjdk.org/jdk/pull/19133#discussion_r1593888199
PR Review Comment: https://git.openjdk.org/jdk/pull/19133#discussion_r1593891938
More information about the net-dev
mailing list