Open Radar

 
Summary:

With: Safari 5.1 on Mac OS X Lion (10.7) and Java plugin 1.6.0_26

When Java Applet Connect with java.net.URLConnection Class on a Authenticated URL with Basic Authentication. 

Java Applet build the HTTP header "Authorization Basic base64string" wrongly.

Steps to Reproduce:

0. Java Applet connect to an Authorized URL with Basic authentication 
1. Safari prompts the Safari window and asks the user password
2. The Java plugin writes the standard HTTP header "Authorization"
3. The Java plugin builds the user:password and transforms it into a base64 string
4. The Java plugin set the header value: "Basic " + the base64 string
5. The Java plugin sends the http request content to the HTTP server
6. The Server replies with HTTP status 401 Unauthorized

Expected Results:

HTTP Header "Authorization" value = "Basic " + base64.encode(username + ":" + password)

Actual Results:

HTTP Header "Authorization" value = "Basic " + base64.encode(username + "randomcharacters:randomcharacters" + password + "randomcharacters")

Regression: YES

Note:

This bug is not present if we use Google Chrome which prompts the regular Username Password Java Applet Plugin window

01-Oct-2011 12:41 AM Pierrick:
I created a very simple example to show the bug:

You will find a secure.zip file attached.
http://www.pterrettaz.ch/stream/secure.zip/?attachment


It contains : 
 - apache config for my user: pik
 - applet.html
 - applet.jar (with source)
 - crash log from java console
 - htpasswd containing where user is abcd1234 and password 111111

I noticed the problems happened only with a username composed 4 letters and 4 digits

1. extract the zip into your ~/Sites
2. configure your apache2 with the same config in apache2.conf.txt
3. run safari to your http://localhost/~<username>/secure
4. safari will prompt a username/password window
5 enter user: abcd1234, password: 111111 and save password into your keychain
6. clic on applet.html
7 open the java console to see the problem. (it happens almost every time)

I used Webscarab tp intercept each request sent from JavaPlugin to http://localhost:80/~<username>/secure/applet.jar to download the jar file and I can see the username password base64 String send to server is wrong.


18-Oct-2011 09:18 AM Pierrick Terrettaz:
Hi,

Do you have any news about this issue ?

We encountered this problems since our clients upgraded there Mac OS X to Lion

Please, contact me for any informations

Regards

19-Oct-2011 11:20 AM Pierrick Terrettaz:
It seems the problem happend because of a bug when safari follow redirections pages. Information can be found here: https://discussions.apple.com/message/15971301

20-Oct-2011 11:50 AM Pierrick Terrettaz:
Hi,

I updated the new version of MAC OS X 10.7.2 and the problem is still present

Have you try this example et got the error too ?

Do you have any information about this issue ?

Regards

Pierrick

28-Oct-2011 08:13 AM Pierrick Terrettaz:
Hi,

I tried the nightly build r97664 of Webkit and the problem is still present.

Do you have some information about this ?

Best regards

Pierrick