Summary: | Allowing for broken android HTTP DIGEST support | ||
---|---|---|---|
Product: | Tomcat 7 | Reporter: | Neale Rudd <neale> |
Component: | Catalina | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | RESOLVED FIXED | ||
Severity: | enhancement | ||
Priority: | P2 | ||
Version: | trunk | ||
Target Milestone: | --- | ||
Hardware: | All | ||
OS: | All |
Description
Neale Rudd
2012-03-21 06:53:16 UTC
(In reply to comment #0) The spec do indicate that servers should be tolerant where they can but this is a security feature so we need to be careful. 1. I'd be happy relaxing the limit on the length of the nonce count to between 6 an 8 inclusive. 2. Regarding the request-uri, my reading of the specs is that it should match what is in the request line so if android is using an absolute uri in the request line then we should certainly accept it. If it isn't then as long as the host header matches then it is equivalent so at the moment I don't see any reason not to allow it. Fixed in trunk and 7.0.x and will be included in 7.0.28 onwards. For the record Android <= 2.3.5 is broken, >= 4.0.3 is fixed. I didn't dig though the source to find out exactly where this was fixed. |