-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 André,
On 1/21/2010 6:35 PM, André Warnier wrote: > Basically, I would tend to say that if the server knows who the clients > are and vice-versa, you should be free to use any encoding you want, > with the limitation that what is exchanged on the wire conforms to HTTP > (because there may be proxies on the way which are not so tolerant). +1 > What the client is sending is already (in a way) conformant to HTTP, > because it is base64 encoded and so, on the surface, it does not contain > non-ascii characters. +1 > But the problem is that the standard Tomcat code which decodes the Basic > Authorization header does not work in the way you want, for these > illegal headers. > And this code should preferably not be changed in a way which breaks the > conformance with standard HTTP. > Because if you do that, then your Tomcat becomes useless for anything > else than your special client. +1 Another possibility would be to use something like SecurityFilter, which allows you to (more easily) write your own authenticator and realm implementations, and you could write a BasicAuthenticator that reads these specially-formatted credentials. I checked the sf source, and it looks like we might have a bug: private String decodeBasicAuthorizationString(String authorization) { if (authorization == null || !authorization.toLowerCase().startsWith("basic ")) { return null; } else { authorization = authorization.substring(6).trim(); // Decode and parse the authorization credentials return new String(Base64.decodeBase64(authorization.getBytes())); } } That "authorization.getBytes()" is just asking for trouble, because it uses the platform default encoding to convert characters to bytes. It should be using US-ASCII, ISO-8859-1, or something like that. It also calls the String constructor with a byte array without specifying the encoding, therefore using the platform default. Finally, this method is private, which means it cannot be overridden by a subclass, which would be a nice feature. Maybe I'll fix all that. :) > Or, you drop the container-managed security, and you use something like > the SecurityFilter (http://securityfilter.sourceforge.net/), but read > the homepage carefully first. Note that the warning about BASIC authentication is waaay outdated: sf definitely does support BASIC auth. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktZy68ACgkQ9CaO5/Lv0PAdMACfVnkkBJRIo8Gt1LcsegO/JhPD Tl0AoLcI5QP0XoCa8kgy5zFJnkKBvL6Y =CBKO -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org