Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8010505

HTTP DIGEST implementation incorrectly quotes header values, fails auth

    XMLWordPrintable

    Details

    • Subcomponent:
    • Resolved In Build:
      b89

      Description

      FULL PRODUCT VERSION :
      java version " 1.7.0_09 "
      OpenJDK Runtime Environment (IcedTea7 2.3.4) (7u9-2.3.4-0ubuntu1.12.10.1)
      OpenJDK 64-Bit Server VM (build 23.2-b09, mixed mode)

      ADDITIONAL OS VERSION INFORMATION :
      Linux ygb1 3.5.0-22-generic #34-Ubuntu SMP Tue Jan 8 21:47:00 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

      A DESCRIPTION OF THE PROBLEM :
      (For background see Tomcat issue #54060: https://issues.apache.org/bugzilla/show_bug.cgi?id=54060)

      When connecting to a server that uses HTTP DIGEST authentication, the JDK implementation class sun.net.www.protocol.http.DigestAuthentication will create an Authorization header like so, and send it:

      Digest username= " foo " , realm= " ****** " , nonce= " 1359097999996:13ed87b1b78c157232d609a099bcdb6e " , nc=00000001, uri= " /****** " , response= " b6f80b049b4b39000da79c96442e0740 " , algorithm= " MD5 " , opaque= " 3E8794E4CE80B19E5DF888D615FFBBA5 " , cnonce= " DGKKOPAFPJKCKKBDLFECINONACKFJIFNDOGKGLIO " , qop= " auth "

      The problem is that the values for qop= and algorithm= are quoted, when they should not be. See RFC 2617 (http://www.ietf.org/rfc/rfc2617.txt) section 3.2.2 and follow its references back to section 3.2.1.

      While some servers ignore this, others don't. In particular, the most recent versions of Tomcat have begun rejecting the string. While they are implementing a workaround, it seems worth fixing.

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      Create a connection to a Tomcat 7.0.35 server that has enabled HTTP DIGEST authentication.

      URL url = new URL( " http://example.org/ " )
      HttpURLConnection connection = (HttpURLConnection) url.openConnection();

      Authorization will fail even when the username and password are correct.


      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      Successful authentication; an Authorization header like:

      Digest username= " foo " , realm= " ****** " , nonce= " 1359097999996:13ed87b1b78c157232d609a099bcdb6e " , nc=00000001, uri= " /****** " , response= " b6f80b049b4b39000da79c96442e0740 " , algorithm=MD5, opaque= " 3E8794E4CE80B19E5DF888D615FFBBA5 " , cnonce= " DGKKOPAFPJKCKKBDLFECINONACKFJIFNDOGKGLIO " , qop=auth

      (Note unquoted qop= and algorithm= values)
      ACTUAL -
      Failed authentication; an Authorization header like:

      Digest username= " foo " , realm= " ****** " , nonce= " 1359097999996:13ed87b1b78c157232d609a099bcdb6e " , nc=00000001, uri= " /****** " , response= " b6f80b049b4b39000da79c96442e0740 " , algorithm= " MD5 " , opaque= " 3E8794E4CE80B19E5DF888D615FFBBA5 " , cnonce= " DGKKOPAFPJKCKKBDLFECINONACKFJIFNDOGKGLIO " , qop= " auth "

      REPRODUCIBILITY :
      This bug can be reproduced always.

      ---------- BEGIN SOURCE ----------
      URL url = new URL( " http://example.org/ " )
      HttpURLConnection connection = (HttpURLConnection) url.openConnection();

      (Where http://example.org/ must be replaced with a server running an HTTP implementation that will reject this header, like Tomcat 7.0.35)
      ---------- END SOURCE ----------

      CUSTOMER SUBMITTED WORKAROUND :
      I refer to a slightly outdated copy of the DigestAuthentication class:
      http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/7-b147/sun/net/www/protocol/http/DigestAuthentication.java?av=f#367

      The fix is simple: do not surround the values of qop= and algorithm= with double quotes.

        Attachments

          Activity

            People

            Assignee:
            jzavgren John Zavgren (Inactive)
            Reporter:
            webbuggrp Webbug Group
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: