HTTP client don't support long username/pw for HTTP basic authentication

Mon, 23 Apr 2007 06:19:06 -0700 


Hello!
I found a bug in that the REST HTTP client fails with HTTP basic authentication if the username/password is too long.
The fault occurs because the base64 encoding inserts linebreaks, although this is not what the servers (including Jetty) expects. This means that even Restlet client to Restlet server fails.
Attached is a JUnit 4 testcase (where are the other unit tests located..? Is it modules/org.restlet.test in SVN?) HTTPBasicTest.java and a patch to SecurityUtils.java in restlet-1.0.0-httpauth.patch
The test is a simple application with a guard and two possible username/passwords, one short combination and one long combination. The guard system.out-s the combinations. When running with Restlet 1.0.0, the output is: 

(From the direct tests against the Guard)

Checking user13 pw15
Checking aVeryLongUsernameIsIndeedRequiredForThisTest thisLongPasswordIsExtremelySecure 
(..)

(From the tests through HTTP Basic auth)

INFO: Basic HTTP authentication succeeded: identifier=user13.
Checking user13 pw15
(..)
Checking aVeryLongUsernameIsIndeedRequiredForThisTest thisLongPass
(..)
Notice how the password has been chopped of. This is due to the base64 encoding inserting \n linebreaks, although RFC 2617 says: 

    base64-user-pass  = <base64 [4] encoding of user-pass,
                       except not limited to 76 char/line>
A debug and tracing of the actual headers reveal that the header is sent with a \n, and that the Jetty server interprets this as one header with the beginning of the WWW-Authenticate header and the next as a header named "aksdjaksdj".
Note that the patch also changes the base64 encoding for SMTP and AWS, although I haven't made test cases or tested these variants. 


Attached:

HTTPBasicTest.java                      JUnit4 testcase
restlet-1.0.0-httpauth.patch patch of SecurityUtils.java from Restlet 1.0.0 
SecurityUtils.java                      from Restlet 1.0.0 and patch applied

Attachment: HTTPBasicTest.java
Description: Binary data

Attachment: restlet-1.0.0-httpauth.patch
Description: Binary data

Attachment: SecurityUtils.java
Description: Binary data


--
Stian Soiland, myGrid team
School of Computer Science
The University of Manchester
http://www.cs.man.ac.uk/~ssoiland/

Reply via email to