Stian, Thanks for the report and the patch. This is now fixed in SVN.
I would also like to integrate your JUnit test case. For this, would it be possible for you to return me (scanned by email, fax or letter) the signed Joint Copyright Assignment available here: http://www.restlet.org/community/contribute ? Best regards, Jerome > -----Message d'origine----- > De : Stian Soiland [mailto:[EMAIL PROTECTED] > Envoyé : lundi 23 avril 2007 15:19 > À : [email protected] > Objet : HTTP client don't support long username/pw for HTTP > basic authentication > > > Hello! > > I found a bug in that the REST HTTP client fails with HTTP basic > authentication if the username/password is too long. > > The fault occurs because the base64 encoding inserts linebreaks, > although this is not what the servers (including Jetty) > expects. This > means that even Restlet client to Restlet server fails. > > Attached is a JUnit 4 testcase (where are the other unit tests > located..? Is it modules/org.restlet.test in SVN?) > HTTPBasicTest.java > and a patch to SecurityUtils.java in restlet-1.0.0-httpauth.patch > > The test is a simple application with a guard and two possible > username/passwords, one short combination and one long combination. > The guard system.out-s the combinations. When running with Restlet > 1.0.0, the output is: > > (From the direct tests against the Guard) > > Checking user13 pw15 > Checking aVeryLongUsernameIsIndeedRequiredForThisTest > thisLongPasswordIsExtremelySecure > (..) > > (From the tests through HTTP Basic auth) > > INFO: Basic HTTP authentication succeeded: identifier=user13. > Checking user13 pw15 > (..) > Checking aVeryLongUsernameIsIndeedRequiredForThisTest thisLongPass > (..) > > > Notice how the password has been chopped of. This is due to the > base64 encoding inserting \n linebreaks, although RFC 2617 says: > > base64-user-pass = <base64 [4] encoding of user-pass, > except not limited to 76 char/line> > > A debug and tracing of the actual headers reveal that the header is > sent with a \n, and that the Jetty server interprets this as one > header with the beginning of the WWW-Authenticate header and > the next > as a header named "aksdjaksdj". > > > Note that the patch also changes the base64 encoding for SMTP and > AWS, although I haven't made test cases or tested these variants. > > > Attached: > > HTTPBasicTest.java JUnit4 testcase > restlet-1.0.0-httpauth.patch patch of SecurityUtils.java from > Restlet 1.0.0 > SecurityUtils.java from Restlet 1.0.0 and > patch applied > > > >
