[jboss-jira] [JBoss JIRA] Created: (JBREM-806) In HTTPClientInvoker remove newlines and carriage returns from Base64 encoded user names and passwords

Ron Sigal (JIRA) jira-events at lists.jboss.org
Sat Sep 15 19:57:10 EDT 2007 

 In HTTPClientInvoker remove newlines and carriage returns from Base64 encoded user names and passwords
-------------------------------------------------------------------------------------------------------

                 Key: JBREM-806
                 URL: http://jira.jboss.com/jira/browse/JBREM-806
             Project: JBoss Remoting
          Issue Type: Bug
      Security Level: Public (Everyone can see)
    Affects Versions: 2.4.0.Beta1 (Pinto)
            Reporter: Ron Sigal
         Assigned To: Ron Sigal
             Fix For: 2.4.0.Beta1 (Pinto)


This public issue duplicates patch JBREM-791.

Long username and passwords cause the HTTPClientInvoker to fail. This is because the string returned from org.jboss.util.Base64.encodeBytes contains new line characters. According to the HTTP specification, the Base64 encoded string for Basic authentication should not be broken into lines at 76 characters as is the case for MIME data. This is a one line fix in the HTTPClientInvoker class, and we are running into this issue and need a patch.

---------
RFC 2617: http://www.ietf.org/rfc/rfc2617.txt

To receive authorization, the client sends the userid and password,
separated by a single colon (":") character, within a base64 [7]
encoded string in the credentials.

basic-credentials = base64-user-pass
base64-user-pass = <base64 [4] encoding of user-pass,
except not limited to 76 char/line>
user-pass = userid ":" password
userid = *<TEXT excluding ":">
password = *TEXT

---------
This can be reproduced by using a username / password combination larger than 76 characters to access a web service using BASIC authentication.

---------
Solution:  org.jboss.util.Base64.encodeBytes() takes an optional "options" parameter, which, among other things, can indicate that Base64 encoded strings should not be broken into lines:

change

         String encoded = Base64.encodeBytes(buffer.toString().getBytes());

to

         String encoded = Base64.encodeBytes(buffer.toString().getBytes(), Base64.DONT_BREAK_LINES);

Unit test: org.jboss.test.remoting.transport.http.authorization.BASICAuthorizationTestCase.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list