6870935: DIGEST proxy authentication fails to connect to URLs with no trailing slash
Reviewed-by: chegar
--- a/jdk/src/share/classes/sun/net/www/protocol/http/AuthenticationInfo.java Thu Oct 01 11:25:22 2009 +0100
+++ b/jdk/src/share/classes/sun/net/www/protocol/http/AuthenticationInfo.java Fri Oct 02 13:57:41 2009 +0100
@@ -399,13 +399,6 @@
abstract boolean isAuthorizationStale (String header);
/**
- * Check for any expected authentication information in the response
- * from the server
- */
- abstract void checkResponse (String header, String method, URL url)
- throws IOException;
-
- /**
* Give a key for hash table lookups.
* @param includeRealm if you want the realm considered. Preemptively
* setting an authorization is done before the realm is known.--- a/jdk/src/share/classes/sun/net/www/protocol/http/BasicAuthentication.java Thu Oct 01 11:25:22 2009 +0100
+++ b/jdk/src/share/classes/sun/net/www/protocol/http/BasicAuthentication.java Fri Oct 02 13:57:41 2009 +0100
@@ -179,13 +179,6 @@
}
/**
- * For Basic Authentication, there is no security information in the
- * response
- */
- void checkResponse (String header, String method, URL url) {
- }
-
- /**
* @return the common root path between npath and path.
* This is used to detect when we have an authentication for two
* paths and the root of th authentication space is the common root.--- a/jdk/src/share/classes/sun/net/www/protocol/http/DigestAuthentication.java Thu Oct 01 11:25:22 2009 +0100
+++ b/jdk/src/share/classes/sun/net/www/protocol/http/DigestAuthentication.java Fri Oct 02 13:57:41 2009 +0100
@@ -291,7 +291,7 @@
uri = HttpURLConnection.connectRequestURI(conn.getURL());
method = HTTP_CONNECT;
} else {
- uri = conn.getURL().getFile();
+ uri = conn.getRequestURI();
method = conn.getMethod();
}
@@ -385,7 +385,11 @@
public void checkResponse (String header, String method, URL url)
throws IOException {
- String uri = url.getFile();
+ checkResponse (header, method, url.getFile());
+ }
+
+ public void checkResponse (String header, String method, String uri)
+ throws IOException {
char[] passwd = pw.getPassword();
String username = pw.getUserName();
boolean qop = params.authQop();--- a/jdk/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java Thu Oct 01 11:25:22 2009 +0100
+++ b/jdk/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java Fri Oct 02 13:57:41 2009 +0100
@@ -390,7 +390,7 @@
* request.
*/
if (!failedOnce)
- requests.prepend(method + " " + http.getURLFile()+" " +
+ requests.prepend(method + " " + getRequestURI()+" " +
httpVersion, null);
if (!getUseCaches()) {
requests.setIfNotSet ("Cache-Control", "no-cache");
@@ -1546,10 +1546,14 @@
if (proxyAuthentication.isAuthorizationStale (raw)) {
/* we can retry with the current credentials */
String value;
- if (tunnelState() == TunnelState.SETUP &&
- proxyAuthentication instanceof DigestAuthentication) {
- value = ((DigestAuthentication)proxyAuthentication)
- .getHeaderValue(connectRequestURI(url), HTTP_CONNECT);
+ if (proxyAuthentication instanceof DigestAuthentication) {
+ DigestAuthentication digestProxy = (DigestAuthentication)
+ proxyAuthentication;
+ if (tunnelState() == TunnelState.SETUP) {
+ value = digestProxy.getHeaderValue(connectRequestURI(url), HTTP_CONNECT);
+ } else {
+ value = digestProxy.getHeaderValue(getRequestURI(), method);
+ }
} else {
value = proxyAuthentication.getHeaderValue(url, method);
}
@@ -1765,10 +1769,14 @@
http.getProxyPortUsed());
if (pauth != null && pauth.supportsPreemptiveAuthorization()) {
String value;
- if (tunnelState() == TunnelState.SETUP &&
- pauth instanceof DigestAuthentication) {
- value = ((DigestAuthentication)pauth)
+ if (pauth instanceof DigestAuthentication) {
+ DigestAuthentication digestProxy = (DigestAuthentication) pauth;
+ if (tunnelState() == TunnelState.SETUP) {
+ value = digestProxy
.getHeaderValue(connectRequestURI(url), HTTP_CONNECT);
+ } else {
+ value = digestProxy.getHeaderValue(getRequestURI(), method);
+ }
} else {
value = pauth.getHeaderValue(url, method);
}
@@ -2075,17 +2083,23 @@
try {
if (!needToCheck)
return;
- if (validateProxy && currentProxyCredentials != null) {
+ if ((validateProxy && currentProxyCredentials != null) &&
+ (currentProxyCredentials instanceof DigestAuthentication)) {
String raw = responses.findValue ("Proxy-Authentication-Info");
if (inClose || (raw != null)) {
- currentProxyCredentials.checkResponse (raw, method, url);
+ DigestAuthentication da = (DigestAuthentication)
+ currentProxyCredentials;
+ da.checkResponse (raw, method, getRequestURI());
currentProxyCredentials = null;
}
}
- if (validateServer && currentServerCredentials != null) {
+ if ((validateServer && currentServerCredentials != null) &&
+ (currentServerCredentials instanceof DigestAuthentication)) {
String raw = responses.findValue ("Authentication-Info");
if (inClose || (raw != null)) {
- currentServerCredentials.checkResponse (raw, method, url);
+ DigestAuthentication da = (DigestAuthentication)
+ currentServerCredentials;
+ da.checkResponse (raw, method, url);
currentServerCredentials = null;
}
}
@@ -2099,6 +2113,23 @@
}
}
+ /* The request URI used in the request line for this request.
+ * Also, needed for digest authentication
+ */
+
+ String requestURI = null;
+
+ String getRequestURI() {
+ if (requestURI == null) {
+ try {
+ requestURI = http.getURLFile();
+ } catch (IOException e) {
+ requestURI = "";
+ }
+ }
+ return requestURI;
+ }
+
/* Tells us whether to follow a redirect. If so, it
* closes the connection (break any keep-alive) and
* resets the url, re-connects, and resets the request
@@ -2160,13 +2191,14 @@
}
setProxiedClient (url, proxyHost, proxyPort);
- requests.set(0, method + " " + http.getURLFile()+" " +
+ requests.set(0, method + " " + getRequestURI()+" " +
httpVersion, null);
connected = true;
} else {
// maintain previous headers, just change the name
// of the file we're getting
url = locUrl;
+ requestURI = null; // force it to be recalculated
if (method.equals("POST") && !Boolean.getBoolean("http.strictPostRedirect") && (stat!=307)) {
/* The HTTP/1.1 spec says that a redirect from a POST
* *should not* be immediately turned into a GET, and
@@ -2204,7 +2236,7 @@
* CacheResponse.
*/
if (http != null) {
- requests.set(0, method + " " + http.getURLFile()+" " +
+ requests.set(0, method + " " + getRequestURI()+" " +
httpVersion, null);
int port = url.getPort();
String host = url.getHost();--- a/jdk/src/share/classes/sun/net/www/protocol/http/NegotiateAuthentication.java Thu Oct 01 11:25:22 2009 +0100
+++ b/jdk/src/share/classes/sun/net/www/protocol/http/NegotiateAuthentication.java Fri Oct 02 13:57:41 2009 +0100
@@ -214,12 +214,6 @@
return negotiator.nextToken(token);
}
- /**
- * no-use for Negotiate
- */
- public void checkResponse (String header, String method, URL url) throws IOException {
- }
-
class B64Encoder extends BASE64Encoder {
protected int bytesPerLine () {
return 100000; // as big as it can be, maybe INT_MAX--- a/jdk/src/solaris/classes/sun/net/www/protocol/http/NTLMAuthentication.java Thu Oct 01 11:25:22 2009 +0100
+++ b/jdk/src/solaris/classes/sun/net/www/protocol/http/NTLMAuthentication.java Fri Oct 02 13:57:41 2009 +0100
@@ -244,13 +244,6 @@
}
}
- /* This is a no-op for NTLM, because there is no authentication information
- * provided by the server to the client
- */
- public void checkResponse (String header, String method, URL url) throws IOException {
- }
-
-
private void copybytes (byte[] dest, int destpos, String src, String enc) {
try {
byte[] x = src.getBytes(enc);--- a/jdk/src/windows/classes/sun/net/www/protocol/http/NTLMAuthentication.java Thu Oct 01 11:25:22 2009 +0100
+++ b/jdk/src/windows/classes/sun/net/www/protocol/http/NTLMAuthentication.java Fri Oct 02 13:57:41 2009 +0100
@@ -192,9 +192,4 @@
}
}
- /* This is a no-op for NTLM, because there is no authentication information
- * provided by the server to the client
- */
- public void checkResponse (String header, String method, URL url) throws IOException {
- }
}--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/java/net/Authenticator/B6870935.java Fri Oct 02 13:57:41 2009 +0100
@@ -0,0 +1,262 @@
+/*
+ * Copyright 2001-2009 Sun Microsystems, Inc. All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/**
+ * @test
+ * @bug 6870935
+ * @run main/othervm -Dhttp.nonProxyHosts="" -Dhttp.auth.digest.validateProxy=true B6870935
+ */
+
+import java.io.*;
+import java.util.*;
+import java.net.*;
+import java.security.*;
+import sun.net.www.*;
+
+/* This is one simple test of the RFC2617 digest authentication behavior
+ * It specifically tests that the client correctly checks the returned
+ * Authentication-Info header field from the server and throws an exception
+ * if the password is wrong
+ */
+
+public class B6870935 {
+
+ static char[] passwd = "password".toCharArray();
+ static String username = "user";
+ static String nonce = "abcdefghijklmnopqrstuvwxyz";
+ static String realm = "wallyworld";
+ static String uri = "http://www.ibm.com";
+ static volatile boolean error = false;
+
+ static class DigestServer extends Thread {
+
+ ServerSocket s;
+ InputStream is;
+ OutputStream os;
+ int port;
+
+ String reply1 = "HTTP/1.1 407 Proxy Authentication Required\r\n"+
+ "Proxy-Authenticate: Digest realm=\""+realm+"\" domain=/ "+
+ "nonce=\""+nonce+"\" qop=\"auth\"\r\n\r\n";
+
+ String reply2 = "HTTP/1.1 200 OK\r\n" +
+ "Date: Mon, 15 Jan 2001 12:18:21 GMT\r\n" +
+ "Server: Apache/1.3.14 (Unix)\r\n" +
+ "Content-Type: text/html; charset=iso-8859-1\r\n" +
+ "Transfer-encoding: chunked\r\n\r\n"+
+ "B\r\nHelloWorld1\r\n"+
+ "B\r\nHelloWorld2\r\n"+
+ "B\r\nHelloWorld3\r\n"+
+ "B\r\nHelloWorld4\r\n"+
+ "B\r\nHelloWorld5\r\n"+
+ "0\r\n"+
+ "Proxy-Authentication-Info: ";
+
+ DigestServer (ServerSocket y) {
+ s = y;
+ port = s.getLocalPort();
+ }
+
+ public void run () {
+ try {
+ Socket s1 = s.accept ();
+ is = s1.getInputStream ();
+ os = s1.getOutputStream ();
+ is.read ();
+ os.write (reply1.getBytes());
+ Thread.sleep (2000);
+ s1.close ();
+
+ s1 = s.accept ();
+ is = s1.getInputStream ();
+ os = s1.getOutputStream ();
+ is.read ();
+ // need to get the cnonce out of the response
+ MessageHeader header = new MessageHeader (is);
+ String raw = header.findValue ("Proxy-Authorization");
+ HeaderParser parser = new HeaderParser (raw);
+ String cnonce = parser.findValue ("cnonce");
+ String cnstring = parser.findValue ("nc");
+ String clientrsp = parser.findValue ("response");
+ String expected = computeDigest(
+ true, username,passwd,realm,
+ "GET", uri, nonce, cnonce, cnstring
+ );
+ if (!expected.equals(clientrsp)) {
+ s1.close ();
+ s.close ();
+ error = true;
+ return;
+ }
+
+ String reply = reply2 + getAuthorization (
+ realm, false, uri, "GET", cnonce,
+ cnstring, passwd, username
+ ) +"\r\n";
+ os.write (reply.getBytes());
+ Thread.sleep (2000);
+ s1.close ();
+ }
+ catch (Exception e) {
+ System.out.println (e);
+ e.printStackTrace();
+ }
+ }
+
+ private String getAuthorization (String realm, boolean isRequest, String uri, String method, String cnonce, String cnstring, char[] password, String username) {
+ String response;
+
+ try {
+ response = computeDigest(isRequest, username,passwd,realm,
+ method, uri, nonce, cnonce, cnstring);
+ } catch (NoSuchAlgorithmException ex) {
+ return null;
+ }
+
+ String value = "Digest"
+ + " qop=\"auth"
+ + "\", cnonce=\"" + cnonce
+ + "\", rspauth=\"" + response
+ + "\", nc=\"" + cnstring + "\"";
+ return (value+ "\r\n");
+ }
+
+ private String computeDigest(
+ boolean isRequest, String userName, char[] password,
+ String realm, String connMethod,
+ String requestURI, String nonceString,
+ String cnonce, String ncValue
+ ) throws NoSuchAlgorithmException
+ {
+
+ String A1, HashA1;
+
+ MessageDigest md = MessageDigest.getInstance("MD5");
+
+ {
+ A1 = userName + ":" + realm + ":";
+ HashA1 = encode(A1, password, md);
+ }
+
+ String A2;
+ if (isRequest) {
+ A2 = connMethod + ":" + requestURI;
+ } else {
+ A2 = ":" + requestURI;
+ }
+ String HashA2 = encode(A2, null, md);
+ String combo, finalHash;
+
+ { /* RRC2617 when qop=auth */
+ combo = HashA1+ ":" + nonceString + ":" + ncValue + ":" +
+ cnonce + ":auth:" +HashA2;
+
+ }
+ finalHash = encode(combo, null, md);
+ return finalHash;
+ }
+
+ private final static char charArray[] = {
+ '0', '1', '2', '3', '4', '5', '6', '7',
+ '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'
+ };
+
+ private String encode(String src, char[] passwd, MessageDigest md) {
+ md.update(src.getBytes());
+ if (passwd != null) {
+ byte[] passwdBytes = new byte[passwd.length];
+ for (int i=0; i<passwd.length; i++)
+ passwdBytes[i] = (byte)passwd[i];
+ md.update(passwdBytes);
+ Arrays.fill(passwdBytes, (byte)0x00);
+ }
+ byte[] digest = md.digest();
+
+ StringBuffer res = new StringBuffer(digest.length * 2);
+ for (int i = 0; i < digest.length; i++) {
+ int hashchar = ((digest[i] >>> 4) & 0xf);
+ res.append(charArray[hashchar]);
+ hashchar = (digest[i] & 0xf);
+ res.append(charArray[hashchar]);
+ }
+ return res.toString();
+ }
+ }
+
+
+ static class MyAuthenticator extends Authenticator {
+ public MyAuthenticator () {
+ super ();
+ }
+
+ public PasswordAuthentication getPasswordAuthentication ()
+ {
+ return (new PasswordAuthentication (username, passwd));
+ }
+ }
+
+
+ public static void main(String[] args) throws Exception {
+ int nLoops = 1;
+ int nSize = 10;
+ int port, n =0;
+ byte b[] = new byte[nSize];
+ DigestServer server;
+ ServerSocket sock;
+
+ try {
+ sock = new ServerSocket (0);
+ port = sock.getLocalPort ();
+ }
+ catch (Exception e) {
+ System.out.println ("Exception: " + e);
+ return;
+ }
+
+ server = new DigestServer(sock);
+ server.start ();
+
+ try {
+
+ Authenticator.setDefault (new MyAuthenticator ());
+ SocketAddress addr = new InetSocketAddress ("127.0.0.1", port);
+ Proxy proxy = new Proxy (Proxy.Type.HTTP, addr);
+ String s = "http://www.ibm.com";
+ URL url = new URL(s);
+ java.net.URLConnection conURL = url.openConnection(proxy);
+
+ InputStream in = conURL.getInputStream();
+ int c;
+ while ((c = in.read ()) != -1) {
+ }
+ in.close ();
+ }
+ catch(IOException e) {
+ e.printStackTrace();
+ error = true;
+ }
+ if (error) {
+ throw new RuntimeException ("Error in test");
+ }
+ }
+}