https://bz.apache.org/bugzilla/show_bug.cgi?id=69972
Bug ID: 69972
Summary: DigestAuthenticator inserts space after "username"
which some servers reject
Product: Tomcat 10
Version: 10.1.52
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: WebSocket
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ------
Found this issue in a Spring project which includes the Tomcat 10.1.52
WebSocket library.
Given a server (some proprietary service on a MS Windows host) that speaks
WebSocket with Digest authentication.
Small example code snippet is attached.
Server presents e.g. the following (partial) response:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest algorithm=MD5, realm="Test Realm", qop=auth,
nonce="637f835c6dc11bf36ee009eccd3443cdfcfeba93ee54bbe4dc"
and the DigestAuthenticator creates a follow-up request like this:
GET / HTTP/1.1
Authorization: Digest username ="testuser",realm="Test
Realm",nonce="637f835c6dc11bf36ee009eccd3443cdfcfeba93ee54bbe4dc",uri="/",response="e36a6f677d67878644537167664324f4",algorithm=MD5,opaque="null",qop="auth",cnonce="170614260071967",nc=00000001
Apparently the issue is a space between "username" and "=" ('username ="..."').
While this might be okay for some implementations, it is not ABNF by strict
definition and it seems little odd that "username" is the only parameter with
space before the equal sign. It's there since the very first commit (BZ 57767,
Commit 240ef91) and I strongly suspect it was not added by intention.
We should remove the space here.
Very same issue on 10.1.52, 11.0.18 and 12.0-dev
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
