https://issues.apache.org/bugzilla/show_bug.cgi?id=54372
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |INVALID
--- Comment #3 from Mark Thomas <ma...@apache.org> ---
IE8 is not compliant with RFC2617 so the authentication request is rejected.
The browser is adding quotes to the qop field which is meant to be a token (and
hence not quoted). Tomcat is rejecting this malformed request. You need to
raise a bug with Microsoft to get that fixed.
I suspect IE9 has the same problem.
Safari is also adding quotes to the qop field. You'll need to raise a bug with
Apple to get that fixed.
It seems the browser developers were confusing the server qop field (which is a
quoted, comma separated list of tokens) with the browser qop field which is a
token (i.e. not quoted).
Web servers are encouraged to be tolerant of misbehaving clients where they
can. I'll see if there is a way this invalid header can be safely (since this
is security related) parsed.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
