Author: markt
Date: Mon Sep 4 11:28:06 2017
New Revision: 1807211
URL: http://svn.apache.org/viewvc?rev=1807211&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=61280
Add RFC 7617 support to the BasicAuthenticator
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc7.0.x/trunk/webapps/docs/config/valve.xml
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java?rev=1807211&r1=1807210&r2=1807211&view=diff
==============================================================================
---
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java
(original)
+++
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java
Mon Sep 4 11:28:06 2017
@@ -5,9 +5,9 @@
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -17,6 +17,7 @@
package org.apache.catalina.authenticator;
import java.io.IOException;
+import java.nio.charset.Charset;
import java.security.Principal;
import javax.servlet.http.HttpServletRequest;
@@ -38,17 +39,14 @@ import org.apache.tomcat.util.codec.bina
*/
public class BasicAuthenticator extends AuthenticatorBase {
- // ----------------------------------------------------- Instance Variables
-
-
/**
* Descriptive information about this implementation.
*/
- protected static final String info =
- "org.apache.catalina.authenticator.BasicAuthenticator/1.0";
+ protected static final String info =
"org.apache.catalina.authenticator.BasicAuthenticator/1.0";
- // ------------------------------------------------------------- Properties
+ private Charset charset = B2CConverter.ISO_8859_1;
+ private String charsetString = null;
/**
@@ -56,28 +54,28 @@ public class BasicAuthenticator extends
*/
@Override
public String getInfo() {
+ return info;
+ }
- return (info);
+ public String getCharset() {
+ return charsetString;
}
- // --------------------------------------------------------- Public Methods
+ public void setCharset(String charsetString) {
+ // Only acceptable options are null, "" or "UTF-8" (case insensitive)
+ if (charsetString == null || charsetString.isEmpty()) {
+ charset = B2CConverter.ISO_8859_1;
+ } else if ("UTF-8".equalsIgnoreCase(charsetString)) {
+ charset = B2CConverter.UTF_8;
+ } else {
+ throw new
IllegalArgumentException(sm.getString("basicAuthenticator.invalidCharset"));
+ }
+ this.charsetString = charsetString;
+ }
- /**
- * Authenticate the user making this request, based on the specified
- * login configuration. Return <code>true</code> if any specified
- * constraint has been satisfied, or <code>false</code> if we have
- * created a response challenge already.
- *
- * @param request Request we are processing
- * @param response Response we are creating
- * @param config Login configuration describing how authentication
- * should be performed
- *
- * @exception IOException if an input/output error occurs
- */
@Override
public boolean authenticate(Request request,
HttpServletResponse response,
@@ -92,21 +90,21 @@ public class BasicAuthenticator extends
String username = null;
String password = null;
- MessageBytes authorization =
+ MessageBytes authorization =
request.getCoyoteRequest().getMimeHeaders()
.getValue("authorization");
-
+
if (authorization != null) {
authorization.toBytes();
ByteChunk authorizationBC = authorization.getByteChunk();
if (authorizationBC.startsWithIgnoreCase("basic ", 0)) {
authorizationBC.setOffset(authorizationBC.getOffset() + 6);
-
+
byte[] decoded = Base64.decodeBase64(
authorizationBC.getBuffer(),
authorizationBC.getOffset(),
authorizationBC.getLength());
-
+
// Get username and password
int colon = -1;
for (int i = 0; i < decoded.length; i++) {
@@ -117,15 +115,12 @@ public class BasicAuthenticator extends
}
if (colon < 0) {
- username = new String(decoded, B2CConverter.ISO_8859_1);
+ username = new String(decoded, charset);
} else {
- username = new String(
- decoded, 0, colon, B2CConverter.ISO_8859_1);
- password = new String(
- decoded, colon + 1, decoded.length - colon - 1,
- B2CConverter.ISO_8859_1);
+ username = new String(decoded, 0, colon, charset);
+ password = new String(decoded, colon + 1, decoded.length -
colon - 1, charset);
}
-
+
authorizationBC.setOffset(authorizationBC.getOffset() - 6);
}
@@ -136,7 +131,7 @@ public class BasicAuthenticator extends
return (true);
}
}
-
+
StringBuilder value = new StringBuilder(16);
value.append("Basic realm=\"");
if (config.getRealmName() == null) {
@@ -144,7 +139,11 @@ public class BasicAuthenticator extends
} else {
value.append(config.getRealmName());
}
- value.append('\"');
+ value.append('\"');
+ if (charsetString != null && !charsetString.isEmpty()) {
+ value.append(", charset=");
+ value.append(charsetString);
+ }
response.setHeader(AUTH_HEADER_NAME, value.toString());
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return (false);
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties?rev=1807211&r1=1807210&r2=1807211&view=diff
==============================================================================
---
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties
(original)
+++
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties
Mon Sep 4 11:28:06 2017
@@ -33,6 +33,8 @@ authenticator.unauthorized=Cannot authen
authenticator.userDataConstraint=This request violates a User Data constraint
for this application
authenticator.tomcatPrincipalLogoutFail=Logout with TomcatPrincipal instance
has failed
+basicAuthenticator.invalidCharset=The only permitted values are null, the
empty string or UTF-8
+
digestAuthenticator.cacheRemove=A valid entry has been removed from client
nonce cache to make room for new entries. A replay attack is now possible. To
prevent the possibility of replay attacks, reduce nonceValidity or increase
cnonceCacheSize. Further warnings of this type will be suppressed for 5 minutes.
formAuthenticator.forwardErrorFail=Unexpected error forwarding to error page
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1807211&r1=1807210&r2=1807211&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Mon Sep 4 11:28:06 2017
@@ -60,6 +60,11 @@
<section name="Tomcat 7.0.82 (violetagg)">
<subsection name="Catalina">
<changelog>
+ <add>
+ <bug>61280</bug>: Add RFC 7617 support to the
+ <code>BasicAuthenticator</code>. Note that the default configuration
+ does not change the existin behaviour. (markt)
+ </add>
<fix>
<bug>61452</bug>: Fix a copy paste error that caused an
<code>UnsupportedEncodingException</code> when using WebDAV. (markt)
Modified: tomcat/tc7.0.x/trunk/webapps/docs/config/valve.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/config/valve.xml?rev=1807211&r1=1807210&r2=1807211&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/config/valve.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/config/valve.xml Mon Sep 4 11:28:06 2017
@@ -1009,6 +1009,19 @@
used.</p>
</attribute>
+ <attribute name="charset" required="false">
+ <p>Controls if the <code>WWW-Authenticate</code> HTTP header includes a
+ <code>charset</code> authentication parameter as per RFC 7617. The only
+ permitted options are <code>null</code>, the empty string and
+ <code>UTF-8</code>. If <code>UTF-8</code> is specified then the
+ <code>charset</code> authentication parameter will be sent with that
+ value and the provided user name and optional password will be
converted
+ from bytes to characters using UTF-8. Otherwise, no
<code>charset</code>
+ authentication parameter will be sent and the provided user name and
+ optional password will be converted from bytes to characters using
+ ISO-8859-1. The default value is <code>null</code></p>
+ </attribute>
+
<attribute name="className" required="true">
<p>Java class name of the implementation to use. This MUST be set to
<strong>org.apache.catalina.authenticator.BasicAuthenticator</strong>.</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
