https://issues.apache.org/bugzilla/show_bug.cgi?id=54060
--- Comment #10 from Sean Owen <sro...@apache.org> --- Hello all, first I would like to say that I think this patch is entirely right. I even checked against RFC 2617. But after this change I'm noticing that DIGEST authentication stops working in Safari, curl, and Java's SDK. Chrome is fine. The reason, it seems, is that their Digest response includes either algorithm="MD5" when it should be algorithm=MD5, or qop="auth" when it should be qop=auth. For example, from curl: * Connection #0 to host localhost left intact * Issue another request to this URL: 'https://localhost:8453/ready' * Re-using existing connection! (#0) with host localhost * Connected to localhost (::1) port 8453 (#0) * Server auth using Digest with user 'foo' > HEAD /ready HTTP/1.1 > Authorization: Digest username="foo", realm="Myrrix", > nonce="1355351469307:f5864c38c03153e941d0e0ec6e6b625f", uri="/ready", > cnonce="MTM1NTM1", nc=00000001, qop="auth", > response="cccab2adb7a9c59f9eeac8b6981e79c0", > opaque="B1094CC78FA4B4D9288C50B02C975C0F" > User-Agent: curl/7.21.4 (universal-apple-darwin11.0) libcurl/7.21.4 > OpenSSL/0.9.8r zlib/1.2.5 > Host: localhost:8453 > Accept: */* In the new implementation this means the parser rejects it since it is not expecting a quoted field. Going back to the prior version of Tomcat works in the sense that the old parser was (too) lenient on incorrect quoting. Also changing these fields to be treated like type 'FIELD_TYPE_QUOTED_STRING' works. It's not a bug in Tomcat though AFAICT. But if it really means a lot of popular implementations don't work with it, I dunno, maybe worth revisiting. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
