# HG changeset patch # User michaelm # Date 1566480970 -3600 # Node ID 78844dceede6a7b524556b73385f9adac55d312b # Parent 2227a0cfd6b3dd8ef23ed7caf3e100998280cdfb 8199849: Add support for UTF-8 encoded credentials in HTTP Basic Authentication Reviewed-by: chegar, dfuchs diff -r 2227a0cfd6b3 -r 78844dceede6 src/java.base/share/classes/sun/net/www/protocol/http/BasicAuthentication.java --- a/src/java.base/share/classes/sun/net/www/protocol/http/BasicAuthentication.java Thu Aug 22 13:47:14 2019 +0200 +++ b/src/java.base/share/classes/sun/net/www/protocol/http/BasicAuthentication.java Thu Aug 22 14:36:10 2019 +0100 @@ -29,11 +29,17 @@ import java.net.URI; import java.net.URISyntaxException; import java.net.PasswordAuthentication; +import java.nio.ByteBuffer; +import java.nio.CharBuffer; +import java.nio.charset.Charset; import java.io.IOException; import java.io.OutputStream; +import java.util.Arrays; import java.util.Base64; import java.util.Objects; import sun.net.www.HeaderParser; +import static java.nio.charset.StandardCharsets.UTF_8; +import static java.nio.charset.StandardCharsets.ISO_8859_1; /** * BasicAuthentication: Encapsulate an http server authentication using @@ -49,37 +55,18 @@ /** The authentication string for this host, port, and realm. This is a simple BASE64 encoding of "login:password". */ - String auth; + final String auth; /** * Create a BasicAuthentication */ public BasicAuthentication(boolean isProxy, String host, int port, String realm, PasswordAuthentication pw, - String authenticatorKey) { + boolean isUTF8, String authenticatorKey) { super(isProxy ? PROXY_AUTHENTICATION : SERVER_AUTHENTICATION, AuthScheme.BASIC, host, port, realm, Objects.requireNonNull(authenticatorKey)); - String plain = pw.getUserName() + ":"; - byte[] nameBytes = null; - try { - nameBytes = plain.getBytes("ISO-8859-1"); - } catch (java.io.UnsupportedEncodingException uee) { - assert false; - } - - // get password bytes - char[] passwd = pw.getPassword(); - byte[] passwdBytes = new byte[passwd.length]; - for (int i=0; i retry_limit) { throw new IOException("too many authentication attempts. Limit: " + @@ -328,14 +336,14 @@ if (pw == null) { throw new IOException("No credentials provided"); } - au = au.retryWithCredentials(pw); + au = au.retryWithCredentials(pw, isUTF8); if (proxy) { exchange.proxyauth = au; } else { exchange.serverauth = au; } req = HttpRequestImpl.newInstanceForAuthentication(req); - addBasicCredentials(req, proxy, au.credentials); + addBasicCredentials(req, proxy, au.credentials, isUTF8); au.retries++; return req; } @@ -387,9 +395,9 @@ synchronized void store(String authscheme, URI domain, boolean proxy, - PasswordAuthentication value) { + PasswordAuthentication value, boolean isUTF8) { remove(authscheme, domain, proxy); - entries.add(new CacheEntry(authscheme, domain, proxy, value)); + entries.add(new CacheEntry(authscheme, domain, proxy, value, isUTF8)); } } @@ -417,15 +425,17 @@ final String scheme; final boolean proxy; final PasswordAuthentication value; + final boolean isUTF8; CacheEntry(String authscheme, URI uri, boolean proxy, - PasswordAuthentication value) { + PasswordAuthentication value, boolean isUTF8) { this.scheme = authscheme; this.root = normalize(uri, true).toString(); // remove extraneous components this.proxy = proxy; this.value = value; + this.isUTF8 = isUTF8; } public PasswordAuthentication value() { diff -r 2227a0cfd6b3 -r 78844dceede6 src/jdk.httpserver/share/classes/com/sun/net/httpserver/BasicAuthenticator.java --- a/src/jdk.httpserver/share/classes/com/sun/net/httpserver/BasicAuthenticator.java Thu Aug 22 13:47:14 2019 +0200 +++ b/src/jdk.httpserver/share/classes/com/sun/net/httpserver/BasicAuthenticator.java Thu Aug 22 14:36:10 2019 +0100 @@ -25,7 +25,11 @@ package com.sun.net.httpserver; +import java.nio.charset.Charset; import java.util.Base64; +import java.util.Objects; + +import static java.nio.charset.StandardCharsets.UTF_8; /** * BasicAuthenticator provides an implementation of HTTP Basic @@ -35,15 +39,44 @@ */ public abstract class BasicAuthenticator extends Authenticator { - protected String realm; + protected final String realm; + protected final Charset charset; + private final boolean isUTF8; + + /** + * Creates a BasicAuthenticator for the given HTTP realm. + * The Basic authentication credentials (username and password) are decoded + * using the platform's {@link Charset#defaultCharset() default character set}. + * + * @param realm The HTTP Basic authentication realm + * @throws NullPointerException if realm is {@code null} + * @throws IllegalArgumentException if realm is an empty string + */ + public BasicAuthenticator (String realm) { + this(realm, Charset.defaultCharset()); + } /** - * Creates a BasicAuthenticator for the given HTTP realm + * Creates a BasicAuthenticator for the given HTTP realm and using the + * given {@link Charset} to decode the Basic authentication credentials + * (username and password). + * + * @apiNote {@code UTF-8} is the recommended charset because its usage is + * communicated to the client, and therefore more likely to be used also + * by the client. + * * @param realm The HTTP Basic authentication realm - * @throws NullPointerException if the realm is an empty string + * @param charset The Charset to decode incoming credentials from the client + * @throws NullPointerException if realm or charset are {@code null} + * @throws IllegalArgumentException if realm is an empty string */ - public BasicAuthenticator (String realm) { + public BasicAuthenticator (String realm, Charset charset) { + Objects.requireNonNull(charset); + if (realm.isEmpty()) // implicit NPE check + throw new IllegalArgumentException("realm must not be empty"); this.realm = realm; + this.charset = charset; + this.isUTF8 = charset.equals(UTF_8); } /** @@ -63,7 +96,9 @@ String auth = rmap.getFirst ("Authorization"); if (auth == null) { Headers map = t.getResponseHeaders(); - map.set ("WWW-Authenticate", "Basic realm=" + "\""+realm+"\""); + var authString = "Basic realm=" + "\"" + realm + "\"" + + (isUTF8 ? " charset=\"UTF-8\"" : ""); + map.set ("WWW-Authenticate", authString); return new Authenticator.Retry (401); } int sp = auth.indexOf (' '); @@ -71,7 +106,7 @@ return new Authenticator.Failure (401); } byte[] b = Base64.getDecoder().decode(auth.substring(sp+1)); - String userpass = new String (b); + String userpass = new String (b, charset); int colon = userpass.indexOf (':'); String uname = userpass.substring (0, colon); String pass = userpass.substring (colon+1); diff -r 2227a0cfd6b3 -r 78844dceede6 test/jdk/com/sun/net/httpserver/bugs/8199849/BasicAuthenticatorCharset.java --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/jdk/com/sun/net/httpserver/bugs/8199849/BasicAuthenticatorCharset.java Thu Aug 22 14:36:10 2019 +0100 @@ -0,0 +1,191 @@ +/* + * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/** + * @test + * @bug 8199849 + * @library /test/lib + * @run main/othervm/timeout=6000 BasicAuthenticatorCharset + * @summary Check for correct use of character sets with BasicAuthenticator() authentication + */ + +import com.sun.net.httpserver.*; +import jdk.test.lib.net.URIBuilder; + +import java.io.IOException; +import java.io.InputStream; +import java.net.*; + +import java.net.http.HttpClient; +import java.net.http.HttpRequest; +import java.net.http.HttpResponse; +import java.util.concurrent.ExecutorService; +import java.util.concurrent.Executors; +import java.nio.charset.Charset; + +import static java.nio.charset.StandardCharsets.UTF_8; +import static java.nio.charset.StandardCharsets.ISO_8859_1; + +/** + * Test authentication + */ + +public class BasicAuthenticatorCharset { + + public static volatile int failCount = 0; + + static final String TEST_USER = "test"; + static final String UNICODE_PW = "Selam D\u00fcnya. Ho\u015f\u00e7akal D\u00fcnya"; + + static Handler testHandler; + static HttpServer testHttpServer; + static java.net.Authenticator clientAuth; + static HttpClient client; + + static class Handler implements HttpHandler { + public void handle(HttpExchange t) throws IOException { + InputStream is = t.getRequestBody(); + while (is.read() != -1) ; + is.close(); + t.sendResponseHeaders(200, -1); + t.close(); + } + } + + static class ClientAuthenticator extends java.net.Authenticator { + public PasswordAuthentication getPasswordAuthentication() { + return new PasswordAuthentication(TEST_USER, UNICODE_PW.toCharArray()); + } + } + + static void setAuthenticationPW(String path, String realm, String testPW, Charset charset) { + HttpContext ctx = testHttpServer.createContext(path, testHandler); + BasicAuthenticator auth; + if (charset != null) { + auth = new BasicAuthenticator(realm, charset) { + public boolean checkCredentials(String username, String pw) { + return username.equals(TEST_USER) && pw.equals(testPW); + } + }; + } else { + auth = new BasicAuthenticator(realm) { + public boolean checkCredentials(String username, String pw) { + return username.equals(TEST_USER) && pw.equals(testPW); + } + }; + } + ctx.setAuthenticator(auth); + } + + static void connectAndAuth(String path, int expectedStatus) throws Exception { + // path is prepended with /old or /new for old and new http client + URL oldurl = URIBuilder.newBuilder() + .scheme("http") + .loopback() + .port(testHttpServer.getAddress().getPort()) + .path("/old" + path) + .toURL(); + + URI newuri = URIBuilder.newBuilder() + .scheme("http") + .loopback() + .port(testHttpServer.getAddress().getPort()) + .path("/new" + path) + .build(); + + // check old client + + HttpURLConnection testConnection = (HttpURLConnection) oldurl.openConnection(Proxy.NO_PROXY); + + // Check for successful authentication + int status = testConnection.getResponseCode(); + if (status != 401) { + InputStream is = testConnection.getInputStream(); + while (is.read() != -1) ; + is.close(); + } + if (status != expectedStatus) { + System.err.println("Error (old): " + path); + failCount++; + } + + HttpRequest request = HttpRequest.newBuilder() + .uri(newuri) + .GET() + .build(); + + status = -1; + try { + HttpResponse response = client.send(request, HttpResponse.BodyHandlers.discarding()); + status = response.statusCode(); + } catch (IOException e) { + System.out.println("NEW: " + e); + status = 401; // limitation in new API. + } + if (status != expectedStatus) { + System.err.println("Error (new): " + path); + failCount++; + } + } + + public static void main(String[] args) throws Exception { + clientAuth = new ClientAuthenticator(); + client = HttpClient.newBuilder() + .authenticator(clientAuth) + .build(); + + String defaultCharset = System.getProperty("file.encoding"); + boolean isUTF8 = defaultCharset.equalsIgnoreCase("UTF-8"); + testHandler = new Handler(); + InetSocketAddress addr = new InetSocketAddress(0); + testHttpServer = HttpServer.create(addr, 0); + + // Set the passing credentials OLD client + setAuthenticationPW("/old/test1/", "passingCharset@test.realm", UNICODE_PW, UTF_8); + setAuthenticationPW("/old/test2/", "failingCharset@test.realm", UNICODE_PW, ISO_8859_1); + setAuthenticationPW("/old/test3/", "defaultCharset@test.realm", UNICODE_PW, null); + + // Set the passing credentials NEW client + setAuthenticationPW("/new/test1/", "passingCharset@test.realm", UNICODE_PW, UTF_8); + setAuthenticationPW("/new/test2/", "failingCharset@test.realm", UNICODE_PW, ISO_8859_1); + setAuthenticationPW("/new/test3/", "defaultCharset@test.realm", UNICODE_PW, null); + + ExecutorService executor = Executors.newCachedThreadPool(); + testHttpServer.setExecutor(executor); + testHttpServer.start(); + java.net.Authenticator.setDefault(clientAuth); + + connectAndAuth("/test1/passingCharset.html", 200); + connectAndAuth("/test2/failingCharset.html", 401); + if (isUTF8) { + connectAndAuth("/test3/defaultCharset.html", 200); + } + + testHttpServer.stop(2); + executor.shutdown(); + + // should fail once with UNICODE_PW and unsupporting character set + if (failCount > 0) + throw new RuntimeException("Fail count : " + failCount); + } +} diff -r 2227a0cfd6b3 -r 78844dceede6 test/jdk/com/sun/net/httpserver/bugs/8199849/ParamTest.java --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/jdk/com/sun/net/httpserver/bugs/8199849/ParamTest.java Thu Aug 22 14:36:10 2019 +0100 @@ -0,0 +1,229 @@ +/* + * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +import java.io.*; +import java.net.*; +import java.net.http.HttpClient; +import java.net.http.HttpRequest; +import java.net.http.HttpResponse; +import java.util.*; +import java.nio.charset.StandardCharsets; +import jdk.test.lib.net.URIBuilder; + +/** + * @test + * @bug 8199849 + * @summary + * @library /test/lib + * @run main/othervm ParamTest + * @run main/othervm -Djava.net.preferIPv6Addresses=true ParamTest + */ + +public class ParamTest { + + static final String[] variants = { + " charset=utf-8", + " charset=UtF-8", + " charset=\"utF-8\"", + " charset=\"UtF-8\"" + }; + + static final int LOOPS = variants.length; + + volatile static boolean error = false; + + static class BasicServer extends Thread { + + final ServerSocket server; + + Socket s; + InputStream is; + OutputStream os; + + static final String realm = "wallyworld"; + + String reply1 = "HTTP/1.1 401 Unauthorized\r\n"+ + "WWW-Authenticate: Basic realm=\""+realm+"\"\r\n"; + + String reply2 = "HTTP/1.1 200 OK\r\n"+ + "Date: Mon, 15 Jan 2001 12:18:21 GMT\r\n" + + "Server: Apache/1.3.14 (Unix)\r\n" + + "Connection: close\r\n" + + "Content-Type: text/html; charset=iso-8859-1\r\n" + + "Content-Length: 10\r\n\r\n"; + + BasicServer(ServerSocket s) { + server = s; + } + + String readHeaders(Socket sock) throws IOException { + InputStream is = sock.getInputStream(); + String s = ""; + byte[] buf = new byte[1024]; + while (!s.endsWith("\r\n\r\n")) { + int c = is.read(buf); + if (c == -1) + return s; + String f = new String(buf, 0, c, StandardCharsets.ISO_8859_1); + s = s + f; + } + return s; + } + + void check(String s, int iteration) { + if (s.indexOf(encodedAuthString) == -1) { + System.err.printf("On iteration %d, wrong auth string received %s\n", iteration, s); + error = true; + } else { + System.err.println("check: correct auth string received"); + } + } + + public void run() { + try { + for (int j = 0; j < 2; j++) + for (int i = 0; i < LOOPS; i++) { + System.out.println("Server 1: accept"); + s = server.accept(); + readHeaders(s); + System.out.println("accepted"); + os = s.getOutputStream(); + String str = reply1 + variants[i] + "\r\n\r\n"; + os.write(str.getBytes()); + + System.out.println("Server 2: accept"); + Socket s1 = server.accept(); + String request = readHeaders(s1); + check(request, i); + System.out.println("accepted"); + os = s1.getOutputStream(); + os.write((reply2 + "HelloWorld").getBytes()); + os.flush(); + s.close(); + s1.close(); + finished(); + } + } catch (Exception e) { + System.out.println(e); + error = true; + } + } + + public synchronized void finished() { + notifyAll(); + } + + } + + static final String password = "Selam D\u00fcnya."; + + // "user : " encoded in UTF-8 and converted to Base 64 + + static final String encodedAuthString = "dXNlcjpTZWxhbSBEw7xueWEu"; + + static class MyAuthenticator extends Authenticator { + MyAuthenticator() { + super(); + } + + public PasswordAuthentication getPasswordAuthentication() + { + System.out.println("Auth called"); + return (new PasswordAuthentication ("user", password.toCharArray())); + } + } + + + static void read(InputStream is) throws IOException { + int c; + System.out.println("reading"); + while ((c=is.read()) != -1) { + System.out.write(c); + } + System.out.println(""); + System.out.println("finished reading"); + } + + public static void main(String args[]) throws Exception { + MyAuthenticator auth = new MyAuthenticator(); + Authenticator.setDefault(auth); + InetAddress loopback = InetAddress.getLoopbackAddress(); + ServerSocket ss = new ServerSocket(); + ss.bind(new InetSocketAddress(loopback, 0)); + int port = ss.getLocalPort(); + BasicServer server = new BasicServer(ss); + synchronized (server) { + server.start(); + System.out.println("client 1"); + String base = URIBuilder.newBuilder() + .scheme("http") + .loopback() + .port(port) + .path("/") + .build() + .toString(); + URL url = new URL(base + "d1/d2/d3/foo.html"); + + for (int i = 0; i < LOOPS; i++) { + URLConnection urlc = url.openConnection(Proxy.NO_PROXY); + InputStream is = urlc.getInputStream(); + read(is); + System.out.println("Client: waiting for notify"); + server.wait(); + System.out.println("Client: continue"); + // check if authenticator was called once (ok) or twice (not) + if (error) { + System.err.println("Error old client iteration " + i); + } + } + + URI uri = url.toURI(); + HttpClient client = HttpClient.newBuilder() + .authenticator(auth) + .build(); + + HttpRequest request = HttpRequest + .newBuilder(uri) + .GET() + .build(); + + for (int i = 0; i < LOOPS; i++) { + HttpResponse response = client.send(request, HttpResponse.BodyHandlers.discarding()); + int status = response.statusCode(); + if (status != 200) { + System.err.printf("Error new client (%d) iteration ", + status, i); + error = true; + } else + System.err.println("New client ok iteration " + i); + System.out.println("New Client: waiting for notify"); + server.wait(); + System.out.println("New Client: continue"); + } + + if (error) { + throw new RuntimeException("Test failed"); + } + } + } +} diff -r 2227a0cfd6b3 -r 78844dceede6 test/jdk/com/sun/net/httpserver/bugs/8199849/TestHttpUnicode.java --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/jdk/com/sun/net/httpserver/bugs/8199849/TestHttpUnicode.java Thu Aug 22 14:36:10 2019 +0100 @@ -0,0 +1,100 @@ +/* + * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/** + * @test + * @bug 8199849 + * @library /test/lib + * @summary Checks that unicode bytes are being handled correctly + * @run main/othervm -Dfile.encoding=UTF_8 TestHttpUnicode + */ + +import com.sun.net.httpserver.*; +import jdk.test.lib.net.URIBuilder; + +import java.io.IOException; +import java.io.InputStream; +import java.net.*; + +public class TestHttpUnicode { + + private static final String TEST_USER = "Selam D\u00fcnya. Ho\u015f\u00e7akal D\u00fcnya"; + private static final String TEST_PW = "Selam D\u00fcnya. Ho\u015f\u00e7akal D\u00fcnya"; + + static class ClientAuthenticator extends java.net.Authenticator { + public PasswordAuthentication getPasswordAuthentication() { + return new PasswordAuthentication(TEST_USER, TEST_PW.toCharArray()); + } + } + + static class Handler implements HttpHandler { + public void handle(HttpExchange t) throws IOException { + InputStream is = t.getRequestBody(); + while (is.read() != -1) ; + is.close(); + + HttpPrincipal p = t.getPrincipal(); + if (p.getUsername().equals(TEST_USER)) { + t.sendResponseHeaders(200, -1); + } + t.close(); + } + } + + public static void main(String[] args) throws Exception { + HttpServer testHttpServer = null; + try { + InetSocketAddress loopbackAddress = new InetSocketAddress(InetAddress.getLoopbackAddress(), 0); + testHttpServer = HttpServer.create(loopbackAddress, 0); + HttpContext context = testHttpServer.createContext("/test", new Handler()); + System.setProperty("http.maxRedirects", "3"); + + BasicAuthenticator serverAuthenticator = new BasicAuthenticator("authCharacterSet@test.realm") { + public boolean checkCredentials(String username, String pw) { + return username.equals(TEST_USER) && pw.equals(TEST_PW); + } + }; + context.setAuthenticator(serverAuthenticator); + java.net.Authenticator.setDefault(new ClientAuthenticator()); + + testHttpServer.start(); + URL url = URIBuilder.newBuilder() + .scheme("http") + .loopback() + .port(testHttpServer.getAddress().getPort()) + .path("/test/authCharacterSet.html") + .toURL(); + HttpURLConnection testConnection = (HttpURLConnection) url.openConnection(Proxy.NO_PROXY); + + // Authenication CHECK + if (testConnection.getResponseCode() == 401) { + throw new RuntimeException("Test Authentication failed with HTTP Status 401."); + } + + InputStream is = testConnection.getInputStream(); + while (is.read() != -1) ; + } finally { + testHttpServer.stop(2); + } + } +}