Safari Java plugin Basic authentication

Number:rdar://9976744 Date Originated:2011-08-18
Status:Open Resolved:
Product:Safari Product Version:5.1 (7534.48.3)
Classification:Crash/Hang/Data Loss Reproducible:Always

With: Safari 5.1 on Mac OS X Lion (10.7) and Java plugin 1.6.0_26

When Java Applet Connect with Class on a Authenticated URL with Basic Authentication. 

Java Applet build the HTTP header "Authorization Basic base64string" wrongly.

Steps to Reproduce:

0. Java Applet connect to an Authorized URL with Basic authentication 
1. Safari prompts the Safari window and asks the user password
2. The Java plugin writes the standard HTTP header "Authorization"
3. The Java plugin builds the user:password and transforms it into a base64 string
4. The Java plugin set the header value: "Basic " + the base64 string
5. The Java plugin sends the http request content to the HTTP server
6. The Server replies with HTTP status 401 Unauthorized

Expected Results:

HTTP Header "Authorization" value = "Basic " + base64.encode(username + ":" + password)

Actual Results:

HTTP Header "Authorization" value = "Basic " + base64.encode(username + "randomcharacters:randomcharacters" + password + "randomcharacters")

Regression: YES


This bug is not present if we use Google Chrome which prompts the regular Username Password Java Applet Plugin window

01-Oct-2011 12:41 AM Pierrick:
I created a very simple example to show the bug:

You will find a file attached.

It contains : 
 - apache config for my user: pik
 - applet.html
 - applet.jar (with source)
 - crash log from java console
 - htpasswd containing where user is abcd1234 and password 111111

I noticed the problems happened only with a username composed 4 letters and 4 digits

1. extract the zip into your ~/Sites
2. configure your apache2 with the same config in apache2.conf.txt
3. run safari to your http://localhost/~<username>/secure
4. safari will prompt a username/password window
5 enter user: abcd1234, password: 111111 and save password into your keychain
6. clic on applet.html
7 open the java console to see the problem. (it happens almost every time)

I used Webscarab tp intercept each request sent from JavaPlugin to http://localhost:80/~<username>/secure/applet.jar to download the jar file and I can see the username password base64 String send to server is wrong.

18-Oct-2011 09:18 AM Pierrick Terrettaz:

Do you have any news about this issue ?

We encountered this problems since our clients upgraded there Mac OS X to Lion

Please, contact me for any informations


19-Oct-2011 11:20 AM Pierrick Terrettaz:
It seems the problem happend because of a bug when safari follow redirections pages. Information can be found here:

20-Oct-2011 11:50 AM Pierrick Terrettaz:

I updated the new version of MAC OS X 10.7.2 and the problem is still present

Have you try this example et got the error too ?

Do you have any information about this issue ?



28-Oct-2011 08:13 AM Pierrick Terrettaz:

I tried the nightly build r97664 of Webkit and the problem is still present.

Do you have some information about this ?

Best regards


Comments Server redirected too many times (20)

Here what kind of exception we get when the password is stored in the keychain:

Caused by: Server redirected too many times (20) at at

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!