On Mon, Sep 4, 2017 at 11:07 AM, Mark Thomas <ma...@apache.org> wrote:
> On 04/09/17 06:25, Rémy Maucherat wrote: > > On Fri, Sep 1, 2017 at 10:18 PM, Mark Thomas <ma...@apache.org> wrote: > > > >> On 01/09/17 20:51, ma...@apache.org wrote: > >>> Author: markt > >>> Date: Fri Sep 1 19:51:42 2017 > >>> New Revision: 1807004 > >>> > >>> URL: http://svn.apache.org/viewvc?rev=1807004&view=rev > >>> Log: > >>> Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=61280 > >>> Add RFC 7617 support to the BasicAuthenticator > >> > >> I'd like to back-port this but before I do I wanted to get some feedback > >> on the default. > >> > >> The options are: > >> > >> a) UTF-8 (the default for 9.0.x) > >> > >> b) "" or null (the current behaviour) > >> > >> The advantage of a) is that we'll support i18n user names and passwords > >> out of the box (assuming the browser does). > >> > >> The disadvantage of a) is that we'll break authentication for any user > >> name or password using ISO-8859-1 characters in the 128-255 range where > >> the browser uses ISO-8859-1 by default and doesn't support RFC 7617. > >> > >> A quick test suggests that this varies between browsers. > >> > >> Chrome appears to use UTF-8 by default. I can't tell if Chrome supports > >> RFC 7617 since it always uses UTF-8. > >> > >> Firefox appears to use ISO-8859-1 by default. It also appears that > >> Firefox doesn't support RFC 7617. > >> > >> IE is the same as Firefox. > >> > >> Hmm. This is a lot messier than I thought it would be. Given what I have > >> observed, there is no combination I can see that will allow BASIC auth > >> to work with a user name or password that contains non ASCII characters > >> with both IE, Firefox and Chrome. > >> > >> Thoughts? > >> > > > > Huuum, since this doesn't work properly yet, I think the default should > > remain ISO-8859-1 in all cases for now. > > Fair enough. I'll change the default for 9.0.x and then back-port. > > We can revisit the default once (if?) the browsers implement RFC 7617. > +1 I think it's the most reasonable option. Rémy > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >
