Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-5618

HTTP Authentication Basic header is case sensitive

    XMLWordPrintable

    Details

    • Steps to Reproduce:
      Hide

      Configure a simple restful service, protect it with <security-constraint> in web.xml. Write client with Authorization: Basic header. Change 'Basic' to 'BASIC'. E.g.:
      requestContext.getHeaders().add( "Authorization", "Basic " + DatatypeConverter.printBase64Binary(
      (user+":"+password).getBytes("UTF-8")) );

      Show
      Configure a simple restful service, protect it with <security-constraint> in web.xml. Write client with Authorization: Basic header. Change 'Basic' to 'BASIC'. E.g.: requestContext.getHeaders().add( "Authorization", "Basic " + DatatypeConverter.printBase64Binary( (user+":"+password).getBytes("UTF-8")) );
    • Affects:
      Compatibility/Configuration
    • Workaround:
      Workaround Exists
    • Workaround Description:
      Hide

      User 'Basic' instead of 'BASIC' in authorization http header.

      Show
      User 'Basic' instead of 'BASIC' in authorization http header.
    • Estimated Difficulty:
      Low

      Description

      I wrote client code to login to a rest service with security-constraint. The client code must use an HTTP header of Authorization: Basic [Base 64 username:password]. If 'Basic' is sent as uppercase 'BASIC' it didn't work, but if sent as 'Basic' then it did work. I don't think the HTTP header fields should be case sensitive.

      https://tools.ietf.org/rfc/rfc2617.txt

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  swd847 Stuart Douglas
                  Reporter:
                  karlnicholas Karl Nicholas
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: