[JDK-4281222] Authorization string exposed outside of authenticated realm - Java Bug System

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: P2
Resolution: Fixed
Affects Version/s: 1.3.0
Fix Version/s: 1.3.0
Component/s: core-libs
Labels:
- authentication
- authorization

Subcomponent:
java.net
Resolved In Build:
kestrel
CPU:

generic
OS:

solaris_2.6

Description

Following the successful authentication step HttpURLConnection preemptively sends a cached Authorization string. This attempt causes a security vulnerability since HttpURLConnection inserts this string into the HTTP header for all subsequent fetches to the host:port. This exposes the Authorization string to all paths even those that are not under the Realm the client authenticated to.

Attachments

Issue Links

relates to

JDK-4244472 java.net.Authenticator does not supply suffisent authentication information

Resolved

Activity

People

Assignee:: Gary Ellison (Inactive)

Reporter:: Gary Ellison (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 1999-10-14 10:42

Updated:: 1999-10-19 13:16

Resolved:: 1999-10-19 13:16

Imported:: 16/Sep/12 12:19 AM

Indexed:: 17/Jul/12 8:27 PM