[jboss-jira] [JBoss JIRA] Updated: (JBREM-806) In HTTPClientInvoker remove newlines and carriage returns from Base64 encoded user names and passwords

Ron Sigal (JIRA) jira-events at lists.jboss.org
Sat Sep 15 20:01:15 EDT 2007 

     [ http://jira.jboss.com/jira/browse/JBREM-806?page=all ]

Ron Sigal updated JBREM-806:
----------------------------

    Affects Version/s: 2.2.2.GA

>  In HTTPClientInvoker remove newlines and carriage returns from Base64 encoded user names and passwords
> -------------------------------------------------------------------------------------------------------
>
>                 Key: JBREM-806
>                 URL: http://jira.jboss.com/jira/browse/JBREM-806
>             Project: JBoss Remoting
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>    Affects Versions: 2.4.0.Beta1 (Pinto), 2.2.2.GA
>            Reporter: Ron Sigal
>         Assigned To: Ron Sigal
>             Fix For: 2.4.0.Beta1 (Pinto)
>
>
> This public issue duplicates patch JBREM-791.
> Long username and passwords cause the HTTPClientInvoker to fail. This is because the string returned from org.jboss.util.Base64.encodeBytes contains new line characters. According to the HTTP specification, the Base64 encoded string for Basic authentication should not be broken into lines at 76 characters as is the case for MIME data. This is a one line fix in the HTTPClientInvoker class, and we are running into this issue and need a patch.
> ---------
> RFC 2617: http://www.ietf.org/rfc/rfc2617.txt
> To receive authorization, the client sends the userid and password,
> separated by a single colon (":") character, within a base64 [7]
> encoded string in the credentials.
> basic-credentials = base64-user-pass
> base64-user-pass = <base64 [4] encoding of user-pass,
> except not limited to 76 char/line>
> user-pass = userid ":" password
> userid = *<TEXT excluding ":">
> password = *TEXT
> ---------
> This can be reproduced by using a username / password combination larger than 76 characters to access a web service using BASIC authentication.
> ---------
> Solution:  org.jboss.util.Base64.encodeBytes() takes an optional "options" parameter, which, among other things, can indicate that Base64 encoded strings should not be broken into lines:
> change
>          String encoded = Base64.encodeBytes(buffer.toString().getBytes());
> to
>          String encoded = Base64.encodeBytes(buffer.toString().getBytes(), Base64.DONT_BREAK_LINES);
> Unit test: org.jboss.test.remoting.transport.http.authorization.BASICAuthorizationTestCase.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list