Re: svn commit: r1807004 - in /tomcat/trunk: java/org/apache/catalina/authenticator/ test/org/apache/catalina/authenticator/ webapps/docs/ webapps/docs/config/
On Mon, Sep 4, 2017 at 11:07 AM, Mark Thomas wrote: > On 04/09/17 06:25, Rémy Maucherat wrote: > > On Fri, Sep 1, 2017 at 10:18 PM, Mark Thomas wrote: > > > >> On 01/09/17 20:51, ma...@apache.org wrote: > >>> Author: markt > >>> Date: Fri Sep 1 19:51:42 2017 > >>> New Revision: 1807004 > >>> > >>> URL: http://svn.apache.org/viewvc?rev=1807004&view=rev > >>> Log: > >>> Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=61280 > >>> Add RFC 7617 support to the BasicAuthenticator > >> > >> I'd like to back-port this but before I do I wanted to get some feedback > >> on the default. > >> > >> The options are: > >> > >> a) UTF-8 (the default for 9.0.x) > >> > >> b) "" or null (the current behaviour) > >> > >> The advantage of a) is that we'll support i18n user names and passwords > >> out of the box (assuming the browser does). > >> > >> The disadvantage of a) is that we'll break authentication for any user > >> name or password using ISO-8859-1 characters in the 128-255 range where > >> the browser uses ISO-8859-1 by default and doesn't support RFC 7617. > >> > >> A quick test suggests that this varies between browsers. > >> > >> Chrome appears to use UTF-8 by default. I can't tell if Chrome supports > >> RFC 7617 since it always uses UTF-8. > >> > >> Firefox appears to use ISO-8859-1 by default. It also appears that > >> Firefox doesn't support RFC 7617. > >> > >> IE is the same as Firefox. > >> > >> Hmm. This is a lot messier than I thought it would be. Given what I have > >> observed, there is no combination I can see that will allow BASIC auth > >> to work with a user name or password that contains non ASCII characters > >> with both IE, Firefox and Chrome. > >> > >> Thoughts? > >> > > > > Huuum, since this doesn't work properly yet, I think the default should > > remain ISO-8859-1 in all cases for now. > > Fair enough. I'll change the default for 9.0.x and then back-port. > > We can revisit the default once (if?) the browsers implement RFC 7617. > +1 I think it's the most reasonable option. Rémy > > Mark > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >
Re: svn commit: r1807004 - in /tomcat/trunk: java/org/apache/catalina/authenticator/ test/org/apache/catalina/authenticator/ webapps/docs/ webapps/docs/config/
On 04/09/17 06:25, Rémy Maucherat wrote: > On Fri, Sep 1, 2017 at 10:18 PM, Mark Thomas wrote: > >> On 01/09/17 20:51, ma...@apache.org wrote: >>> Author: markt >>> Date: Fri Sep 1 19:51:42 2017 >>> New Revision: 1807004 >>> >>> URL: http://svn.apache.org/viewvc?rev=1807004&view=rev >>> Log: >>> Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=61280 >>> Add RFC 7617 support to the BasicAuthenticator >> >> I'd like to back-port this but before I do I wanted to get some feedback >> on the default. >> >> The options are: >> >> a) UTF-8 (the default for 9.0.x) >> >> b) "" or null (the current behaviour) >> >> The advantage of a) is that we'll support i18n user names and passwords >> out of the box (assuming the browser does). >> >> The disadvantage of a) is that we'll break authentication for any user >> name or password using ISO-8859-1 characters in the 128-255 range where >> the browser uses ISO-8859-1 by default and doesn't support RFC 7617. >> >> A quick test suggests that this varies between browsers. >> >> Chrome appears to use UTF-8 by default. I can't tell if Chrome supports >> RFC 7617 since it always uses UTF-8. >> >> Firefox appears to use ISO-8859-1 by default. It also appears that >> Firefox doesn't support RFC 7617. >> >> IE is the same as Firefox. >> >> Hmm. This is a lot messier than I thought it would be. Given what I have >> observed, there is no combination I can see that will allow BASIC auth >> to work with a user name or password that contains non ASCII characters >> with both IE, Firefox and Chrome. >> >> Thoughts? >> > > Huuum, since this doesn't work properly yet, I think the default should > remain ISO-8859-1 in all cases for now. Fair enough. I'll change the default for 9.0.x and then back-port. We can revisit the default once (if?) the browsers implement RFC 7617. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1807004 - in /tomcat/trunk: java/org/apache/catalina/authenticator/ test/org/apache/catalina/authenticator/ webapps/docs/ webapps/docs/config/
On Fri, Sep 1, 2017 at 10:18 PM, Mark Thomas wrote: > On 01/09/17 20:51, ma...@apache.org wrote: > > Author: markt > > Date: Fri Sep 1 19:51:42 2017 > > New Revision: 1807004 > > > > URL: http://svn.apache.org/viewvc?rev=1807004&view=rev > > Log: > > Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=61280 > > Add RFC 7617 support to the BasicAuthenticator > > I'd like to back-port this but before I do I wanted to get some feedback > on the default. > > The options are: > > a) UTF-8 (the default for 9.0.x) > > b) "" or null (the current behaviour) > > The advantage of a) is that we'll support i18n user names and passwords > out of the box (assuming the browser does). > > The disadvantage of a) is that we'll break authentication for any user > name or password using ISO-8859-1 characters in the 128-255 range where > the browser uses ISO-8859-1 by default and doesn't support RFC 7617. > > A quick test suggests that this varies between browsers. > > Chrome appears to use UTF-8 by default. I can't tell if Chrome supports > RFC 7617 since it always uses UTF-8. > > Firefox appears to use ISO-8859-1 by default. It also appears that > Firefox doesn't support RFC 7617. > > IE is the same as Firefox. > > Hmm. This is a lot messier than I thought it would be. Given what I have > observed, there is no combination I can see that will allow BASIC auth > to work with a user name or password that contains non ASCII characters > with both IE, Firefox and Chrome. > > Thoughts? > Huuum, since this doesn't work properly yet, I think the default should remain ISO-8859-1 in all cases for now. Rémy > > Mark > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >
Re: svn commit: r1807004 - in /tomcat/trunk: java/org/apache/catalina/authenticator/ test/org/apache/catalina/authenticator/ webapps/docs/ webapps/docs/config/
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 9/1/17 4:18 PM, Mark Thomas wrote: > On 01/09/17 20:51, ma...@apache.org wrote: >> Author: markt Date: Fri Sep 1 19:51:42 2017 New Revision: >> 1807004 >> >> URL: http://svn.apache.org/viewvc?rev=1807004&view=rev Log: Fix >> https://bz.apache.org/bugzilla/show_bug.cgi?id=61280 Add RFC 7617 >> support to the BasicAuthenticator > > I'd like to back-port this but before I do I wanted to get some > feedback on the default. > > The options are: > > a) UTF-8 (the default for 9.0.x) > > b) "" or null (the current behaviour) > > The advantage of a) is that we'll support i18n user names and > passwords out of the box (assuming the browser does). > > The disadvantage of a) is that we'll break authentication for any > user name or password using ISO-8859-1 characters in the 128-255 > range where the browser uses ISO-8859-1 by default and doesn't > support RFC 7617. > > A quick test suggests that this varies between browsers. > > Chrome appears to use UTF-8 by default. I can't tell if Chrome > supports RFC 7617 since it always uses UTF-8. > > Firefox appears to use ISO-8859-1 by default. It also appears that > Firefox doesn't support RFC 7617. > > IE is the same as Firefox. > > Hmm. This is a lot messier than I thought it would be. Given what I > have observed, there is no combination I can see that will allow > BASIC auth to work with a user name or password that contains non > ASCII characters with both IE, Firefox and Chrome. > > Thoughts? In general, I'd say that UTF-8 should be the default for everything moving forward. So, for back-porting to 8.5, UTF-8 should be the default. But for 8.0, we should probably use ""/null. OTOH, we had conversations about 8.5 being as easy possible as a drop-in replacement for 8.0, and using UTF-8 would therefore hamper that goal. Maybe we should be ""/null for all backports, and let 9.0 only be UTF-8 (by default, of course). - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZqxKnAAoJEBzwKT+lPKRYru0P/3ZbURp8BNBEkD5VQDU+dm24 +UeXRje0gchqqbSwL1Xaao02hEU/4x8oaV7/PldlcFlYoNFgmwlw0wjcJXq63YO8 9ygg24JMhv88GO5tkp7iiuBoQwVmdMA3mrMPqORIQ4U5CSyFdwtS1gbhXNYHW96X fCCKxvy+abhDMUX+IqteXCuYGdlbTiwoReLVBSUfLGGUBNPHUB3VwCiKi/CC3GE3 dgv9FaSFLR2R/g6jV6JNB5E3xggD+n2UXCyQ3fO6yA3fwJGBNg26xrWxNnaleu+i J16OVUpyb0s/nMztuqmd6O1AoBMGwp9kb16G0G2XH3p950UOi7upcO8Ysdz9SCHi qBuCbj/YK9VzxGk64gxcnCmJgiAkxxktqpa+q31qQy5rfolJs6xz7I6hmE4pOsN2 Ks7Ob0uLs1uN93bzES/vH7VEQ3JJcOYrTGSt97ZnMv0lI4fDoZlZFWoEn0RbsQCl GOIB3yd6xILlNKzjiibz6TIQZepszNBmJUB1T11/zTw6vKoL4CQVcXm5spZXX5SF JkWkoMonbFhSpoi7LzB4/guO10HGXfaemMP6Kg9R7tH+LuXzc4wiOmV2poAGDlqB dnMd4oQJBceYtm2fmbAtHtcaxvYtD+hEeutPm/B5aWEkgmoiKwVM5cbz729j61RN MbNZ4JE6SfbS0e5vDUrb =jG5+ -END PGP SIGNATURE- - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1807004 - in /tomcat/trunk: java/org/apache/catalina/authenticator/ test/org/apache/catalina/authenticator/ webapps/docs/ webapps/docs/config/
On 01/09/17 20:51, ma...@apache.org wrote: > Author: markt > Date: Fri Sep 1 19:51:42 2017 > New Revision: 1807004 > > URL: http://svn.apache.org/viewvc?rev=1807004&view=rev > Log: > Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=61280 > Add RFC 7617 support to the BasicAuthenticator I'd like to back-port this but before I do I wanted to get some feedback on the default. The options are: a) UTF-8 (the default for 9.0.x) b) "" or null (the current behaviour) The advantage of a) is that we'll support i18n user names and passwords out of the box (assuming the browser does). The disadvantage of a) is that we'll break authentication for any user name or password using ISO-8859-1 characters in the 128-255 range where the browser uses ISO-8859-1 by default and doesn't support RFC 7617. A quick test suggests that this varies between browsers. Chrome appears to use UTF-8 by default. I can't tell if Chrome supports RFC 7617 since it always uses UTF-8. Firefox appears to use ISO-8859-1 by default. It also appears that Firefox doesn't support RFC 7617. IE is the same as Firefox. Hmm. This is a lot messier than I thought it would be. Given what I have observed, there is no combination I can see that will allow BASIC auth to work with a user name or password that contains non ASCII characters with both IE, Firefox and Chrome. Thoughts? Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org