-----BEGIN PGP SIGNED MESSAGE-----
On 9/1/17 4:18 PM, Mark Thomas wrote:
> On 01/09/17 20:51, ma...@apache.org wrote:
>> Author: markt Date: Fri Sep 1 19:51:42 2017 New Revision:
>> URL: http://svn.apache.org/viewvc?rev=1807004&view=rev Log: Fix
>> https://bz.apache.org/bugzilla/show_bug.cgi?id=61280 Add RFC 7617
>> support to the BasicAuthenticator
> I'd like to back-port this but before I do I wanted to get some
> feedback on the default.
> The options are:
> a) UTF-8 (the default for 9.0.x)
> b) "" or null (the current behaviour)
> The advantage of a) is that we'll support i18n user names and
> passwords out of the box (assuming the browser does).
> The disadvantage of a) is that we'll break authentication for any
> user name or password using ISO-8859-1 characters in the 128-255
> range where the browser uses ISO-8859-1 by default and doesn't
> support RFC 7617.
> A quick test suggests that this varies between browsers.
> Chrome appears to use UTF-8 by default. I can't tell if Chrome
> supports RFC 7617 since it always uses UTF-8.
> Firefox appears to use ISO-8859-1 by default. It also appears that
> Firefox doesn't support RFC 7617.
> IE is the same as Firefox.
> Hmm. This is a lot messier than I thought it would be. Given what I
> have observed, there is no combination I can see that will allow
> BASIC auth to work with a user name or password that contains non
> ASCII characters with both IE, Firefox and Chrome.
In general, I'd say that UTF-8 should be the default for everything
moving forward. So, for back-porting to 8.5, UTF-8 should be the
default. But for 8.0, we should probably use ""/null.
OTOH, we had conversations about 8.5 being as easy possible as a
drop-in replacement for 8.0, and using UTF-8 would therefore hamper
Maybe we should be ""/null for all backports, and let 9.0 only be
UTF-8 (by default, of course).
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org