On 04/09/17 06:25, Rémy Maucherat wrote:
> On Fri, Sep 1, 2017 at 10:18 PM, Mark Thomas <ma...@apache.org> wrote:
>> On 01/09/17 20:51, ma...@apache.org wrote:
>>> Author: markt
>>> Date: Fri Sep  1 19:51:42 2017
>>> New Revision: 1807004
>>> URL: http://svn.apache.org/viewvc?rev=1807004&view=rev
>>> Log:
>>> Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=61280
>>> Add RFC 7617 support to the BasicAuthenticator
>> I'd like to back-port this but before I do I wanted to get some feedback
>> on the default.
>> The options are:
>> a) UTF-8 (the default for 9.0.x)
>> b) "" or null (the current behaviour)
>> The advantage of a) is that we'll support i18n user names and passwords
>> out of the box (assuming the browser does).
>> The disadvantage of a) is that we'll break authentication for any user
>> name or password using ISO-8859-1 characters in the 128-255 range where
>> the browser uses ISO-8859-1 by default and doesn't support RFC 7617.
>> A quick test suggests that this varies between browsers.
>> Chrome appears to use UTF-8 by default. I can't tell if Chrome supports
>> RFC 7617 since it always uses UTF-8.
>> Firefox appears to use ISO-8859-1 by default. It also appears that
>> Firefox doesn't support RFC 7617.
>> IE is the same as Firefox.
>> Hmm. This is a lot messier than I thought it would be. Given what I have
>> observed, there is no combination I can see that will allow BASIC auth
>> to work with a user name or password that contains non ASCII characters
>> with both IE, Firefox and Chrome.
>> Thoughts?
> Huuum, since this doesn't work properly yet, I think the default should
> remain ISO-8859-1 in all cases for now.

Fair enough. I'll change the default for 9.0.x and then back-port.

We can revisit the default once (if?) the browsers implement RFC 7617.


To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to