Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 10.1.0.CR1, 10.1.0.Final
Affects Version/s: 9.0.2.Final
Component/s: Web (Undertow)
Labels:

Steps to Reproduce:

Hide

Configure a simple restful service, protect it with <security-constraint> in web.xml. Write client with Authorization: Basic header. Change 'Basic' to 'BASIC'. E.g.:
requestContext.getHeaders().add( "Authorization", "Basic " + DatatypeConverter.printBase64Binary(
(user+":"+password).getBytes("UTF-8")) );

Show
Configure a simple restful service, protect it with <security-constraint> in web.xml. Write client with Authorization: Basic header. Change 'Basic' to 'BASIC'. E.g.: requestContext.getHeaders().add( "Authorization", "Basic " + DatatypeConverter.printBase64Binary( (user+":"+password).getBytes("UTF-8")) );
Affects:

Compatibility/Configuration
Workaround:

Workaround Exists
Workaround Description:

Hide

User 'Basic' instead of 'BASIC' in authorization http header.

Show
User 'Basic' instead of 'BASIC' in authorization http header.
Estimated Difficulty:
Low

Description

I wrote client code to login to a rest service with security-constraint. The client code must use an HTTP header of Authorization: Basic [Base 64 username:password]. If 'Basic' is sent as uppercase 'BASIC' it didn't work, but if sent as 'Basic' then it did work. I don't think the HTTP header fields should be case sensitive.

https://tools.ietf.org/rfc/rfc2617.txt

Attachments

Issue Links

is caused by

UNDERTOW-629 Basic auth 'Basic' token is case sensitive

Resolved

Activity

People

Assignee:: Stuart Douglas

Reporter:: Karl Nicholas (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2015/11/03 10:34 AM

Updated:: 2020/09/30 10:26 AM

Resolved:: 2016/02/23 8:25 PM