This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new e2a0578de1 Update Basic authentication to RFC 7617
e2a0578de1 is described below
commit e2a0578de1b0f15a3de078f14a3004a09e17921a
Author: Mark Thomas <[email protected]>
AuthorDate: Tue Apr 16 11:55:49 2024 +0100
Update Basic authentication to RFC 7617
---
.../catalina/authenticator/BasicAuthenticator.java | 47 +++++-
.../authenticator/TestBasicAuthParser.java | 173 ++++++++++-----------
webapps/docs/changelog.xml | 7 +
webapps/docs/config/valve.xml | 4 +-
4 files changed, 130 insertions(+), 101 deletions(-)
diff --git a/java/org/apache/catalina/authenticator/BasicAuthenticator.java
b/java/org/apache/catalina/authenticator/BasicAuthenticator.java
index dd8e3c751f..7060cca97c 100644
--- a/java/org/apache/catalina/authenticator/BasicAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/BasicAuthenticator.java
@@ -20,6 +20,7 @@ import java.io.IOException;
import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.security.Principal;
+import java.util.Base64;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
@@ -29,7 +30,6 @@ import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.buf.ByteChunk;
import org.apache.tomcat.util.buf.MessageBytes;
-import org.apache.tomcat.util.codec.binary.Base64;
/**
* An <b>Authenticator</b> and <b>Valve</b> implementation of HTTP BASIC
Authentication, as outlined in RFC 7617: "The
@@ -43,7 +43,7 @@ public class BasicAuthenticator extends AuthenticatorBase {
private Charset charset = StandardCharsets.ISO_8859_1;
private String charsetString = null;
- private boolean trimCredentials = true;
+ private boolean trimCredentials = false;
public String getCharset() {
@@ -64,11 +64,27 @@ public class BasicAuthenticator extends AuthenticatorBase {
}
+ /**
+ * Obtain the current setting for the removal of whitespace around the
decoded user name and password.
+ *
+ * @return {@code true} if white space will be removed around the decoded
user name and password
+ *
+ * @deprecated Will be removed in Tomcat 11 onwards.
+ */
+ @Deprecated
public boolean getTrimCredentials() {
return trimCredentials;
}
+ /**
+ * Configures trimming of whitespace around the decoded user name and
password.
+ *
+ * @param trimCredentials {@code true} to remove white space around the
decoded user name and password
+ *
+ * @deprecated Will be removed in Tomcat 11 onwards.
+ */
+ @Deprecated
public void setTrimCredentials(boolean trimCredentials) {
this.trimCredentials = trimCredentials;
}
@@ -155,15 +171,29 @@ public class BasicAuthenticator extends AuthenticatorBase
{
private String password = null;
/**
- * Parse the HTTP Authorization header for BASIC authentication as per
RFC 2617 section 2, and the Base64
- * encoded credentials as per RFC 2045 section 6.8.
+ * Parse the HTTP Authorization header for BASIC authentication as per
RFC 7617.
+ *
+ * @param input The header value to parse in-place
+ * @param charset The character set to use to convert the bytes to a
string
+ *
+ * @throws IllegalArgumentException If the header does not conform to
RFC 7617
+ */
+ public BasicCredentials(ByteChunk input, Charset charset) throws
IllegalArgumentException {
+ this(input, charset, false);
+ }
+
+ /**
+ * Parse the HTTP Authorization header for BASIC authentication as per
RFC 7617.
*
* @param input The header value to parse in-place
* @param charset The character set to use to convert the
bytes to a string
* @param trimCredentials Should leading and trailing whitespace be
removed from the parsed credentials
*
- * @throws IllegalArgumentException If the header does not conform to
RFC 2617
+ * @throws IllegalArgumentException If the header does not conform to
RFC 7617
+ *
+ * @deprecated Will be removed in Tomcat 11 onwards
*/
+ @Deprecated
public BasicCredentials(ByteChunk input, Charset charset, boolean
trimCredentials)
throws IllegalArgumentException {
authorization = input;
@@ -196,7 +226,8 @@ public class BasicAuthenticator extends AuthenticatorBase {
}
/*
- * The authorization method string is case-insensitive and must hae at
least one space character as a delimiter.
+ * The authorization method string is case-insensitive and must have
at exactly one space character as a
+ * delimiter.
*/
private void parseMethod() throws IllegalArgumentException {
if (authorization.startsWithIgnoreCase(METHOD, 0)) {
@@ -215,7 +246,9 @@ public class BasicAuthenticator extends AuthenticatorBase {
* surrounding white space.
*/
private byte[] parseBase64() throws IllegalArgumentException {
- byte[] decoded = Base64.decodeBase64(authorization.getBuffer(),
base64blobOffset, base64blobLength);
+ byte[] encoded = new byte[base64blobLength];
+ System.arraycopy(authorization.getBuffer(), base64blobOffset,
encoded, 0, base64blobLength);
+ byte[] decoded = Base64.getDecoder().decode(encoded);
// restore original offset
authorization.setOffset(initialOffset);
if (decoded == null) {
diff --git a/test/org/apache/catalina/authenticator/TestBasicAuthParser.java
b/test/org/apache/catalina/authenticator/TestBasicAuthParser.java
index d1dfe31f0b..03d91ba250 100644
--- a/test/org/apache/catalina/authenticator/TestBasicAuthParser.java
+++ b/test/org/apache/catalina/authenticator/TestBasicAuthParser.java
@@ -18,12 +18,12 @@ package org.apache.catalina.authenticator;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
+import java.util.Base64;
import org.junit.Assert;
import org.junit.Test;
import org.apache.tomcat.util.buf.ByteChunk;
-import org.apache.tomcat.util.codec.binary.Base64;
/**
* Test the BasicAuthenticator's BasicCredentials inner class and the
@@ -45,7 +45,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, USER_NAME, PASSWORD);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader(), StandardCharsets.UTF_8, true);
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_NAME, credentials.getUsername());
Assert.assertEquals(PASSWORD, credentials.getPassword());
}
@@ -56,7 +56,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, USER_NAME, null);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader(), StandardCharsets.UTF_8, true);
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_NAME, credentials.getUsername());
Assert.assertNull(credentials.getPassword());
}
@@ -68,7 +68,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, BASE64_CRIB);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader(), StandardCharsets.UTF_8, true);
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_NAME, credentials.getUsername());
Assert.assertEquals(PASSWORD, credentials.getPassword());
}
@@ -80,7 +80,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, BASE64_CRIB);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader(), StandardCharsets.UTF_8, true);
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_NAME, credentials.getUsername());
Assert.assertNull(credentials.getPassword());
}
@@ -93,34 +93,24 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, BASE64_CRIB);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader(), StandardCharsets.UTF_8, true);
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_NAME, credentials.getUsername());
Assert.assertEquals(PASSWORD1, credentials.getPassword());
}
/*
- * RFC 2045 says the Base64 encoded string should be represented
- * as lines of no more than 76 characters. However, RFC 2617
- * says a base64-user-pass token is not limited to 76 char/line.
- * It also says all line breaks, including mandatory ones,
- * should be ignored during decoding.
- * This test case has a line break in the Base64 string.
- * (See also testGoodCribBase64Big below).
+ * Line breaks are not permitted inside the base64 encoded value.
*/
- @Test
- public void testGoodCribLineWrap() throws Exception {
- final String USER_LONG = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
- + "abcdefghijklmnopqrstuvwxyz0123456789+/AAAABBBBCCCC"
- + "DDDD"; // 80 characters
+ @Test(expected=IllegalArgumentException.class)
+ public void testLineWrap() throws Exception {
final String BASE64_CRIB = "QUJDREVGR0hJSktMTU5PUFFSU1RVVldY"
+ "WVphYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ejAxMjM0"
+ "\n" + "NTY3ODkrL0FBQUFCQkJCQ0NDQ0REREQ=";
- final BasicAuthHeader AUTH_HEADER =
- new BasicAuthHeader(NICE_METHOD, BASE64_CRIB);
+ final BasicAuthHeader AUTH_HEADER = new BasicAuthHeader(NICE_METHOD,
BASE64_CRIB);
+ @SuppressWarnings("unused")
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader(), StandardCharsets.UTF_8, true);
- Assert.assertEquals(USER_LONG, credentials.getUsername());
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
}
/*
@@ -141,7 +131,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, BASE64_CRIB);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader(), StandardCharsets.UTF_8, true);
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_LONG, credentials.getUsername());
}
@@ -157,7 +147,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(METHOD, USER_NAME, PASSWORD);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader(), StandardCharsets.UTF_8, true);
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_NAME, credentials.getUsername());
Assert.assertEquals(PASSWORD, credentials.getPassword());
}
@@ -172,26 +162,19 @@ public class TestBasicAuthParser {
new BasicAuthHeader(METHOD, USER_NAME, PASSWORD);
@SuppressWarnings("unused")
BasicAuthenticator.BasicCredentials credentials =
- new
BasicAuthenticator.BasicCredentials(AUTH_HEADER.getHeader(),
StandardCharsets.UTF_8, true);
+ new
BasicAuthenticator.BasicCredentials(AUTH_HEADER.getHeader(),
StandardCharsets.UTF_8);
}
/*
- * Confirm the Basic parser tolerates excess white space after
- * the authentication method.
- *
- * RFC2617 does not define the separation syntax between the auth-scheme
- * and basic-credentials tokens. Tomcat tolerates any amount of white
- * (within the limits of HTTP header sizes).
+ * Confirm the Basic parser allows exactly one space after the
authentication method.
*/
- @Test
+ @Test(expected=IllegalArgumentException.class)
public void testAuthMethodExtraLeadingSpace() throws Exception {
final BasicAuthHeader AUTH_HEADER =
new BasicAuthHeader(NICE_METHOD + " ", USER_NAME, PASSWORD);
+ @SuppressWarnings("unused")
final BasicAuthenticator.BasicCredentials credentials =
- new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader(), StandardCharsets.UTF_8, true);
- Assert.assertEquals(USER_NAME, credentials.getUsername());
- Assert.assertEquals(PASSWORD, credentials.getPassword());
+ new
BasicAuthenticator.BasicCredentials(AUTH_HEADER.getHeader(),
StandardCharsets.UTF_8);
}
@@ -205,7 +188,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, USER_NAME, PWD_WRONG);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader(), StandardCharsets.UTF_8, true);
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_NAME, credentials.getUsername());
Assert.assertNotSame(PASSWORD, credentials.getPassword());
}
@@ -217,7 +200,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, EMPTY_USER_NAME, PASSWORD);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader(), StandardCharsets.UTF_8, true);
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(EMPTY_USER_NAME, credentials.getUsername());
Assert.assertEquals(PASSWORD, credentials.getPassword());
}
@@ -229,7 +212,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, SHORT_USER_NAME, PASSWORD);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader(), StandardCharsets.UTF_8, true);
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(SHORT_USER_NAME, credentials.getUsername());
Assert.assertEquals(PASSWORD, credentials.getPassword());
}
@@ -241,7 +224,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, USER_NAME, SHORT_PASSWORD);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader(), StandardCharsets.UTF_8, true);
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_NAME, credentials.getUsername());
Assert.assertEquals(SHORT_PASSWORD, credentials.getPassword());
}
@@ -253,7 +236,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, USER_NAME, PASSWORD_SPACE);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader(), StandardCharsets.UTF_8, true);
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_NAME, credentials.getUsername());
Assert.assertEquals(PASSWORD_SPACE, credentials.getPassword());
}
@@ -265,7 +248,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, USER_NAME, PASSWORD_COLON);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader(), StandardCharsets.UTF_8, true);
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_NAME, credentials.getUsername());
Assert.assertEquals(PASSWORD_COLON, credentials.getPassword());
}
@@ -277,7 +260,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, USER_NAME, PASSWORD_COLON);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader(), StandardCharsets.UTF_8, true);
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_NAME, credentials.getUsername());
Assert.assertEquals(PASSWORD_COLON, credentials.getPassword());
}
@@ -289,41 +272,46 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, USER_NAME, PASSWORD_COLON);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader(), StandardCharsets.UTF_8, true);
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_NAME, credentials.getUsername());
Assert.assertEquals(PASSWORD_COLON, credentials.getPassword());
}
/*
- * Confirm the Basic parser tolerates excess white space after
- * the base64 blob.
- *
- * RFC2617 does not define this case, but asks servers to be
- * tolerant of this kind of client deviation.
+ * Confirm the Basic parser does not tolerate excess white space after the
base64 blob.
*/
- @Test
+ @Test(expected=IllegalArgumentException.class)
public void testAuthMethodExtraTrailingSpace() throws Exception {
+ final BasicAuthHeader AUTH_HEADER = new BasicAuthHeader(NICE_METHOD,
USER_NAME, PASSWORD, " ");
+ @SuppressWarnings("unused")
+ BasicAuthenticator.BasicCredentials credentials =
+ new
BasicAuthenticator.BasicCredentials(AUTH_HEADER.getHeader(),
StandardCharsets.UTF_8);
+ }
+
+ /*
+ * Confirm the Basic parser does not tolerate excess white space around
the username inside the base64 blob.
+ */
+ @Test
+ public void testUserExtraSpace() throws Exception {
final BasicAuthHeader AUTH_HEADER =
- new BasicAuthHeader(NICE_METHOD, USER_NAME, PASSWORD, " ");
+ new BasicAuthHeader(NICE_METHOD, " " + USER_NAME + " ",
PASSWORD);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader(), StandardCharsets.UTF_8, true);
- Assert.assertEquals(USER_NAME, credentials.getUsername());
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
+ Assert.assertNotEquals(USER_NAME, credentials.getUsername());
+ Assert.assertEquals(USER_NAME, credentials.getUsername().trim());
Assert.assertEquals(PASSWORD, credentials.getPassword());
}
/*
- * Confirm the Basic parser tolerates excess white space around
- * the username inside the base64 blob.
- *
- * RFC2617 does not define the separation syntax between the auth-scheme
- * and basic-credentials tokens. Tomcat should tolerate any reasonable
- * amount of white space.
+ * Confirm the Basic parser tolerates excess white space around the user
name inside the base64 blob when
+ * trimCredentials is enabled.
*/
@Test
- public void testUserExtraSpace() throws Exception {
+ public void testUserExtraSpaceWithTrimCredentials() throws Exception {
final BasicAuthHeader AUTH_HEADER =
new BasicAuthHeader(NICE_METHOD, " " + USER_NAME + " ",
PASSWORD);
+ @SuppressWarnings("deprecation")
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
AUTH_HEADER.getHeader(), StandardCharsets.UTF_8, true);
@@ -332,17 +320,29 @@ public class TestBasicAuthParser {
}
/*
- * Confirm the Basic parser tolerates excess white space around
- * the username within the base64 blob.
- *
- * RFC2617 does not define the separation syntax between the auth-scheme
- * and basic-credentials tokens. Tomcat should tolerate any reasonable
- * amount of white space.
+ * Confirm the Basic parser does not tolerate excess white space around
the password within the base64 blob.
*/
@Test
public void testPasswordExtraSpace() throws Exception {
final BasicAuthHeader AUTH_HEADER =
new BasicAuthHeader(NICE_METHOD, USER_NAME, " " + PASSWORD + "
");
+ BasicAuthenticator.BasicCredentials credentials =
+ new BasicAuthenticator.BasicCredentials(
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
+ Assert.assertEquals(USER_NAME, credentials.getUsername());
+ Assert.assertNotEquals(PASSWORD, credentials.getPassword());
+ Assert.assertEquals(PASSWORD, credentials.getPassword().trim());
+ }
+
+ /*
+ * Confirm the Basic parser tolerates excess white space around the
password inside the base64 blob when
+ * trimCredentials is enabled.
+ */
+ @Test
+ public void testPasswordExtraSpaceWithTrimCredentials() throws Exception {
+ final BasicAuthHeader AUTH_HEADER =
+ new BasicAuthHeader(NICE_METHOD, USER_NAME, " " + PASSWORD + "
");
+ @SuppressWarnings("deprecation")
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
AUTH_HEADER.getHeader(), StandardCharsets.UTF_8, true);
@@ -370,7 +370,7 @@ public class TestBasicAuthParser {
@SuppressWarnings("unused") // Exception will be thrown.
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader(), StandardCharsets.UTF_8, true);
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
}
/*
@@ -386,44 +386,31 @@ public class TestBasicAuthParser {
@SuppressWarnings("unused")
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader(), StandardCharsets.UTF_8, true);
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
}
/*
- * "-" is not a legal base64 character. The RFC says it must be
- * ignored by the decoder. This is a very strange case because the
- * next character is a pad, which terminates the string normally.
- * It is likely (but not certain) the decoded password will be
- * damaged and subsequent authentication will fail.
+ * "-" is not a legal base64 character.
*/
- @Test
+ @Test(expected=IllegalArgumentException.class)
public void testBadBase64LastChar() throws Exception {
final String BASE64_CRIB = "dXNlcmlkOnNlY3JldA-=";
- final String POSSIBLY_DAMAGED_PWD = "secret";
- final BasicAuthHeader AUTH_HEADER =
- new BasicAuthHeader(NICE_METHOD, BASE64_CRIB);
+ final BasicAuthHeader AUTH_HEADER = new BasicAuthHeader(NICE_METHOD,
BASE64_CRIB);
+ @SuppressWarnings("unused")
BasicAuthenticator.BasicCredentials credentials =
- new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader(), StandardCharsets.UTF_8, true);
- Assert.assertEquals(USER_NAME, credentials.getUsername());
- Assert.assertEquals(POSSIBLY_DAMAGED_PWD, credentials.getPassword());
+ new
BasicAuthenticator.BasicCredentials(AUTH_HEADER.getHeader(),
StandardCharsets.UTF_8);
}
/*
- * The trailing third "=" is illegal. However, the RFC says the decoder
- * must terminate as soon as the first pad is detected, so no error
- * will be detected unless the payload has been damaged in some way.
+ * The trailing third "=" is illegal.
*/
- @Test
+ @Test(expected=IllegalArgumentException.class)
public void testBadBase64TooManyEquals() throws Exception {
final String BASE64_CRIB = "dXNlcmlkOnNlY3JldA===";
- final BasicAuthHeader AUTH_HEADER =
- new BasicAuthHeader(NICE_METHOD, BASE64_CRIB);
+ final BasicAuthHeader AUTH_HEADER = new BasicAuthHeader(NICE_METHOD,
BASE64_CRIB);
+ @SuppressWarnings("unused")
BasicAuthenticator.BasicCredentials credentials =
- new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader(), StandardCharsets.UTF_8, true);
- Assert.assertEquals(USER_NAME, credentials.getUsername());
- Assert.assertEquals(PASSWORD, credentials.getPassword());
+ new
BasicAuthenticator.BasicCredentials(AUTH_HEADER.getHeader(),
StandardCharsets.UTF_8);
}
/*
@@ -440,7 +427,7 @@ public class TestBasicAuthParser {
new BasicAuthHeader(NICE_METHOD, BASE64_CRIB);
BasicAuthenticator.BasicCredentials credentials =
new BasicAuthenticator.BasicCredentials(
- AUTH_HEADER.getHeader(), StandardCharsets.UTF_8, true);
+ AUTH_HEADER.getHeader(), StandardCharsets.UTF_8);
Assert.assertEquals(USER_NAME, credentials.getUsername());
Assert.assertEquals(PASSWORD, credentials.getPassword());
}
@@ -479,7 +466,7 @@ public class TestBasicAuthParser {
: username + ":" + password;
byte[] credentialsBytes =
userCredentials.getBytes(StandardCharsets.ISO_8859_1);
- String base64auth = Base64.encodeBase64String(credentialsBytes);
+ String base64auth =
Base64.getEncoder().encodeToString(credentialsBytes);
byte[] base64Bytes =
base64auth.getBytes(StandardCharsets.ISO_8859_1);
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 9b7db56706..89bd49ddc8 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -118,6 +118,13 @@
<bug>68890</bug> Align output encoding of JSPs in the Manager webapp
with the XML declarations in those same files. (schultz)
</fix>
+ <fix>
+ Update Basic authentication to implement the requirements of RFC 7617
+ including the changing of the <code>trimCredentials</code> setting
which
+ is now defaults to <code>false</code>. Note that the
+ <code>trimCredentials</code> setting will be removed in Tomcat 11.
+ (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
diff --git a/webapps/docs/config/valve.xml b/webapps/docs/config/valve.xml
index 7f859cc2cd..ceb4a84218 100644
--- a/webapps/docs/config/valve.xml
+++ b/webapps/docs/config/valve.xml
@@ -1562,7 +1562,9 @@
<attribute name="trimCredentials" required="false">
<p>Controls whether leading and/or trailing whitespace is removed from
the parsed credentials. If not specified, the default value is
- <code>true</code>.</p>
+ <code>false</code>.
+ </p>
+ <p>Note: This attribute will be removed from Tomcat 11 onwards.</p>
</attribute>
</attributes>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
