Created attachment 29814 [details] Log with Firefox Live HTTP Headers Login with Safari on the Mac and on IOS with DIGEST authentication fails. Also with IE8/9 the login fails. With Firefox and Chrome login works perfect. I did store the password in tomcat-users.xml as plain text. Then I did configure the realm as MD5 and stored the password as a MD5 hash of [user]:[realm]:[password]. Also then Firefox and Chrome login perfectly and Safari and IE8/9 are failing. I did attach a log file of the headers with Firefox succeeding to login. Thanks, Johan Borchers
Version 7.0.30 and 7.0.32 are working fine with the same configuration. Safari can login with DIGEST authentication. Version 7.0.33 is not working anymore and has the same problem as described for version 7.0.34.
The likely suspect is the new lightweight HTTP header parser that we switched to in 7.0.33. The question at the moment is whether it is the parser or the client that is non-spec compliant.
IE8 is not compliant with RFC2617 so the authentication request is rejected. The browser is adding quotes to the qop field which is meant to be a token (and hence not quoted). Tomcat is rejecting this malformed request. You need to raise a bug with Microsoft to get that fixed. I suspect IE9 has the same problem. Safari is also adding quotes to the qop field. You'll need to raise a bug with Apple to get that fixed. It seems the browser developers were confusing the server qop field (which is a quoted, comma separated list of tokens) with the browser qop field which is a token (i.e. not quoted). Web servers are encouraged to be tolerant of misbehaving clients where they can. I'll see if there is a way this invalid header can be safely (since this is security related) parsed.
Oke, thanks for clearing the problem. The problem is who is doing something to solve the problem. If I manage to report a bug to Apple or Microsoft will it be fixed? an if so in what time frame? How can I see that Safari is sending back the qop value as a quoted string and not as a token? I do use Live HTTP Headers in Firefox but Safari ??
Reported the bug to Apple for Safari : Problem ID: 12964948
By the way, a workaround was implemented in r1429124 It will be included in 7.0.35 onwards.