Rainer Burgstaller created HTTPCLIENT-1566: ----------------------------------------------
Summary: Obvious bug in HTTP Basic Authentication! Key: HTTPCLIENT-1566 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1566 Project: HttpComponents HttpClient Issue Type: Bug Components: Android Port Affects Versions: 4.3.5 Reporter: Rainer Burgstaller Priority: Blocker There is an obvious bug in android httpclient 4.3.5 in {{BasicSchemeHC4.authenticate()}} {code:java} /** * Produces basic authorization header for the given set of {@link Credentials}. * * @param credentials The set of credentials to be used for authentication * @param request The request being authenticated * @throws org.apache.http.auth.InvalidCredentialsException if authentication * credentials are not valid or not applicable for this authentication scheme * @throws AuthenticationException if authorization string cannot * be generated due to an authentication failure * * @return a basic authorization string */ @Override public Header authenticate( final Credentials credentials, final HttpRequest request, final HttpContext context) throws AuthenticationException { Args.notNull(credentials, "Credentials"); Args.notNull(request, "HTTP request"); final StringBuilder tmp = new StringBuilder(); tmp.append(credentials.getUserPrincipal().getName()); tmp.append(":"); tmp.append((credentials.getPassword() == null) ? "null" : credentials.getPassword()); final byte[] base64password = Base64.decode( EncodingUtils.getBytes(tmp.toString(), getCredentialsCharset(request)), Base64.NO_WRAP); {code} It is quite obvious that decoding a plaintext string "username:password" as Base64 will not work. The bug was introduced in revision {{1.616.447}}. Please fix asap. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org For additional commands, e-mail: dev-h...@hc.apache.org