Jetty

Digest Authentication not correctly implemented

Details

  • Type: Bug Bug
  • Status: Resolved Resolved
  • Priority: Minor Minor
  • Resolution: Fixed
  • Affects Version/s: 6.1.9
  • Fix Version/s: 7.0.0pre2, 6.1.11
  • Component/s: Security and SSL
  • Labels:
    None
  • Environment:
    Windows XP, java version "1.5.0_12",
  • Number of attachments :
    0

Description

when starting jetty with one socketconnector, and adding a securityhandler with digest authentication, jetty incorrectly sends the challenge to clients.

the challenge sent is
WWW-Authenticate: Digest realm="SPE-Provisioning", domain="null", nonce="LK7vNhoBAADScmkDWPhaRt6HJF3mmCOl", algorithm=MD5, qop="auth"

the domain should contain the uri sent by the client, not null

in file org.mortbay.jetty.security.DigestAuthenticator.java, line 149
public void sendChallenge(UserRealm realm,
Request request,
Response response,
boolean stale)
throws IOException

{ String contextPath=request.getContextPath(); response.setHeader(HttpHeaders.WWW_AUTHENTICATE, "Digest realm=\""+realm.getName()+ "\", domain=\""+contextPath + "\", nonce=\""+newNonce(request)+ "\", algorithm=MD5, qop=\"auth\"" + (useStale?(" stale="+stale):"") ); response.sendError(HttpServletResponse.SC_UNAUTHORIZED); }

request.getContextPath() returns null, replacing it with request.getPathInfo() solves the problem

Activity

Hide
Permalink
Greg Wilkins added a comment -

I think the domain should be the context path rather than the full URI.

So the bug is that for the root context, getContextPath returns null. I have committed a patch that now handles the root context and
sets the domain to "/"

Show
Greg Wilkins added a comment - I think the domain should be the context path rather than the full URI. So the bug is that for the root context, getContextPath returns null. I have committed a patch that now handles the root context and sets the domain to "/"

People

  • Assignee:
    Unassigned
    Reporter:
    Renzo
Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved: