Bug 54372 - Digest Authentication fails on Safari and IE8/9
Digest Authentication fails on Safari and IE8/9
Product: Tomcat 7
Classification: Unclassified
Component: Catalina
Macintosh All
: P2 normal (vote)
: ---
Assigned To: Tomcat Developers Mailing List
Depends on:
  Show dependency tree
Reported: 2013-01-04 12:38 UTC by Johan Borchers
Modified: 2013-01-09 12:45 UTC (History)
0 users

Log with Firefox Live HTTP Headers (6.66 KB, application/octet-stream)
2013-01-04 12:38 UTC, Johan Borchers

Note You need to log in before you can comment on or make changes to this bug.
Description Johan Borchers 2013-01-04 12:38:53 UTC
Created attachment 29814 [details]
Log with Firefox Live HTTP Headers

Login with Safari on the Mac and on IOS with DIGEST authentication fails. Also with IE8/9 the login fails.
With Firefox and Chrome login works perfect.

I did store the password in tomcat-users.xml as plain text.
Then I did configure the realm as MD5 and stored the password as a MD5 hash of [user]:[realm]:[password].
Also then Firefox and Chrome login perfectly and Safari and IE8/9 are failing.

I did attach a log file of the headers with Firefox succeeding to login.


Johan Borchers
Comment 1 Johan Borchers 2013-01-04 14:05:07 UTC
Version 7.0.30 and 7.0.32 are working fine with the same configuration.
Safari can login with DIGEST authentication.

Version 7.0.33 is not working anymore and has the same problem as described for version 7.0.34.
Comment 2 Mark Thomas 2013-01-04 16:09:19 UTC
The likely suspect is the new lightweight HTTP header parser that we switched to in 7.0.33. The question at the moment is whether it is the parser or the client that is non-spec compliant.
Comment 3 Mark Thomas 2013-01-04 16:36:36 UTC
IE8 is not compliant with RFC2617 so the authentication request is rejected. The browser is adding quotes to the qop field which is meant to be a token (and hence not quoted). Tomcat is rejecting this malformed request. You need to raise a bug with Microsoft to get that fixed.

I suspect IE9 has the same problem.

Safari is also adding quotes to the qop field. You'll need to raise a bug with Apple to get that fixed.

It seems the browser developers were confusing the server qop field (which is a quoted, comma separated list of tokens) with the browser qop field which is a token (i.e. not quoted).

Web servers are encouraged to be tolerant of misbehaving clients where they can. I'll see if there is a way this invalid header can be safely (since this is security related) parsed.
Comment 4 Johan Borchers 2013-01-07 12:10:13 UTC
Oke, thanks for clearing the problem.
The problem is who is doing something to solve the problem. If I manage to report a bug to Apple or Microsoft will it be fixed? an if so in what time frame?
How can I see that Safari is sending back the qop value as a quoted string and not as a token?
I do use Live HTTP Headers in Firefox but Safari ??
Comment 5 Johan Borchers 2013-01-07 12:33:49 UTC
Reported the bug to Apple for Safari : Problem ID: 12964948
Comment 6 Konstantin Kolinko 2013-01-09 12:45:03 UTC
By the way, a workaround was implemented in r1429124
It will be included in 7.0.35 onwards.