On 19/01/18 10:21, Norbert Harrer wrote: > On 19.01.2018 09:10, Mark Thomas wrote: >> On 18/01/18 21:04, Norbert Harrer wrote: >>> Hi. >>> >>> Which character encoding of user / password for the Basic Authentication >>> Header is tomcat accepting? >>> >>> A pretty simple question, but I didn't find a clear answer after >>> googling for quite a while. >>> >>> I know that there is no clear definition what should be used. For >>> example browsers do it differently. >>> >>> An example: >>> >>> User: test >>> Password: 123ö (german umlaut o with two dots at the end) >>> >>> Firefox sends ISO-8859-1: >>> Authorization: Basic dGVzdDoxMjP2 >>> >>> Chrome sends UTF-8: >>> Authorization: Basic dGVzdDoxMjPDtg== >>> >>> After trying it it seems tomcat accepts ISO-8859-1. Can this be >>> configured? >> To a limited extend. See the following: >> >> https://bz.apache.org/bugzilla/show_bug.cgi?id=61280 >> http://tomcat.markmail.org/thread/wotey6yz64obije7 >> http://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Basic_Authenticator_Valve/Attributes >> >> >> ... > > Thanks Mark. > > So if I understood the documents (and after studying > BasicAuthenticator.java in Tomcat 7 and 8) it is as follows: > > Tomcat 7 uses ISO-8859-1 hardcoded > Tomcat 8 implements RFC 7617, in which the server can ask the client to > send the credential in UTF-8. This must be enabled via the Basic > Authenticator Valve. Otherwise ISO-8859-1 is used.
Not quite. All currently supported versions implement RFC 7617. (You might want to check if the fix has made it into the latest release of each. It is hasn't, releases for all versions should be out in the next week or so.) > I wonder why Chrome is blindly sending UTF-8 instead of respecting RFC > 7617. None of the browsers I tested respected the RFC. Based on past experience, that doesn't surprise me. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
