https://issues.apache.org/bugzilla/show_bug.cgi?id=54707
Bug ID: 54707 Summary: Buggy Perl http clients cause tomcat digest auth to fail due to quoted nc values (e.g. nc="00000001") Product: Tomcat 7 Version: 7.0.37 Hardware: PC Status: NEW Severity: normal Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: br...@iris.washington.edu Classification: Unclassified This problem was discovered while trying to make the Perl LWP library work with tomcat where a path was being protected with digest authentication. Ultimately, this is a bug with Perl (see https://rt.cpan.org/Public/Bug/Display.html?id=43354), and it has been possibly fixed. HOWEVER, this requires users to update their perl libraries etc (a big pain for our customers and for us). A simple fix to tomcat would solve this problem for us and make life good again. A typical digest response header from perl looks like: Authorization: Digest username="joe", realm="ACME", qop="auth", algorithm="MD5", uri="/my/protected/path", nonce="1363130363664:71e75a43d7fdbfff8c54bece373058b8", nc="00000001", cnonce="513fb7fb", response="baeeff0b6b9b7e74e769630160d3725b", message-digest="d41d8cd98f00b204e9800998ecf8427e", opaque="9C2C62C52D30A7D5707F75F5A813F113" The entry nc="00000001" causes tomcat to reject the request. It should be nc=00000001 (the perl client's mistake) The following perl script demonstrates the problem: #!/usr/bin/perl use strict; use LWP; &doGet("myname", "mypassword", "myrealmname", "myhost", "8080", "/my/protected/path"); sub doGet { my ($username, $password, $realm, $host, $port, $uri) = @_; my $url = "http://".$host.":".$port.$uri; print "GET: $url\n"; my $browser = LWP::UserAgent->new; $browser->agent('Debug Digest Problem'); $browser->credentials($host.":".$port,$realm,$username=>$password); my $response=$browser->get($url); print "HTTP STATUS:".$response->status_line."\n"; print $response->content; } The fix should be in org.apache.tomcat.util.http.parser.HttpParser.java Looking at build 7.0.37 code: Around line 147: case 3: // FIELD_TYPE_LHEX value = readLhex(input); break; This switch is hit when the field is 'nc' (due to line 72 fieldTypes.put("nc", FIELD_TYPE_LHEX); ] The method readLhex() does not tolerant quotes. (see line 434 and below). A similar tomcat issue was fixed a while back for the quoted qop field. (the qop response field should also not be quoted, but tomcat handles this). Also see line 375 * This is not defined in any RFC. It is a special case to handle data from * buggy clients (known buggy clients include Microsoft IE 8 & 9, Apple * Safari for OSX and iOS) that add quotes to values that should be tokens. Server software which tolerates this mistake in the perl client includes Apache and Spring's security filter (org.springframework.security.web.authentication.www.DigestAuthenticationFilter). -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org