-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 9/1/17 4:18 PM, Mark Thomas wrote: > On 01/09/17 20:51, ma...@apache.org wrote: >> Author: markt Date: Fri Sep 1 19:51:42 2017 New Revision: >> 1807004 >> >> URL: http://svn.apache.org/viewvc?rev=1807004&view=rev Log: Fix >> https://bz.apache.org/bugzilla/show_bug.cgi?id=61280 Add RFC 7617 >> support to the BasicAuthenticator > > I'd like to back-port this but before I do I wanted to get some > feedback on the default. > > The options are: > > a) UTF-8 (the default for 9.0.x) > > b) "" or null (the current behaviour) > > The advantage of a) is that we'll support i18n user names and > passwords out of the box (assuming the browser does). > > The disadvantage of a) is that we'll break authentication for any > user name or password using ISO-8859-1 characters in the 128-255 > range where the browser uses ISO-8859-1 by default and doesn't > support RFC 7617. > > A quick test suggests that this varies between browsers. > > Chrome appears to use UTF-8 by default. I can't tell if Chrome > supports RFC 7617 since it always uses UTF-8. > > Firefox appears to use ISO-8859-1 by default. It also appears that > Firefox doesn't support RFC 7617. > > IE is the same as Firefox. > > Hmm. This is a lot messier than I thought it would be. Given what I > have observed, there is no combination I can see that will allow > BASIC auth to work with a user name or password that contains non > ASCII characters with both IE, Firefox and Chrome. > > Thoughts? In general, I'd say that UTF-8 should be the default for everything moving forward. So, for back-porting to 8.5, UTF-8 should be the default. But for 8.0, we should probably use ""/null. OTOH, we had conversations about 8.5 being as easy possible as a drop-in replacement for 8.0, and using UTF-8 would therefore hamper that goal. Maybe we should be ""/null for all backports, and let 9.0 only be UTF-8 (by default, of course). - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZqxKnAAoJEBzwKT+lPKRYru0P/3ZbURp8BNBEkD5VQDU+dm24 +UeXRje0gchqqbSwL1Xaao02hEU/4x8oaV7/PldlcFlYoNFgmwlw0wjcJXq63YO8 9ygg24JMhv88GO5tkp7iiuBoQwVmdMA3mrMPqORIQ4U5CSyFdwtS1gbhXNYHW96X fCCKxvy+abhDMUX+IqteXCuYGdlbTiwoReLVBSUfLGGUBNPHUB3VwCiKi/CC3GE3 dgv9FaSFLR2R/g6jV6JNB5E3xggD+n2UXCyQ3fO6yA3fwJGBNg26xrWxNnaleu+i J16OVUpyb0s/nMztuqmd6O1AoBMGwp9kb16G0G2XH3p950UOi7upcO8Ysdz9SCHi qBuCbj/YK9VzxGk64gxcnCmJgiAkxxktqpa+q31qQy5rfolJs6xz7I6hmE4pOsN2 Ks7Ob0uLs1uN93bzES/vH7VEQ3JJcOYrTGSt97ZnMv0lI4fDoZlZFWoEn0RbsQCl GOIB3yd6xILlNKzjiibz6TIQZepszNBmJUB1T11/zTw6vKoL4CQVcXm5spZXX5SF JkWkoMonbFhSpoi7LzB4/guO10HGXfaemMP6Kg9R7tH+LuXzc4wiOmV2poAGDlqB dnMd4oQJBceYtm2fmbAtHtcaxvYtD+hEeutPm/B5aWEkgmoiKwVM5cbz729j61RN MbNZ4JE6SfbS0e5vDUrb =jG5+ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
