United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-4678055 Basic Authentication fails with multiple realms
JDK-4678055 : Basic Authentication fails with multiple realms

Details
Type:
Bug
Submit Date:
2002-05-01
Status:
Resolved
Updated Date:
2002-10-11
Project Name:
JDK
Resolved Date:
2002-10-11
Component:
core-libs
OS:
solaris_8,windows_2000
Sub-Component:
java.net
CPU:
x86,generic
Priority:
P3
Resolution:
Fixed
Affected Versions:
1.4.1
Fixed Versions:
1.4.2 (mantis)

Related Reports
Duplicate:

Sub Tasks

Description
Basic Authentication fails with multiple realms. 
I setup of two realms on apache server . Both realms have different user  databases. When I set Authenticator.setDefault() to one realm's user and then try to access the resource existing in second realm thru HttpURLConnection, then it throws the following exception.

java.lang.IndexOutOfBoundsException: Index: 0, Size: 0
        at java.util.LinkedList.entry(LinkedList.java:356)
        at java.util.LinkedList.get(LinkedList.java:299)
        at sun.net.www.protocol.http.PathMap.get(AuthenticationInfo.java:375)
        at sun.net.www.protocol.http.AuthenticationInfo.getAuth(AuthenticationInfo.java:181)
        at sun.net.www.protocol.http.AuthenticationInfo.getServerAuth(AuthenticationInfo.java:171)
        at sun.net.www.protocol.http.HttpURLConnection.getServerAuthentication(HttpURLConnection.java:951)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:611)
        at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:238)
        at BasicAuthTestCase.main(BasicAuthTestCase.java:34)


How to reproduce it:
====================
1. Take the attached BasicAuthTestCase.java
2. Need to setup two realms on apache(or may be any other server) . Both will be having two different user lists. 

For example I have  like...
realm -> AuthCheck/ -> It has a list of users 
realm -> NoAuth/  -> It has a list of users

3. Execute the attached code

Output:
------
java BasicAuthTestCase
Response url1: 401    ---> Accessed before setting Authenticator.setDefault()
npath = /AuthCheck/
opath = /AuthCheck/
second Response url1: 200 --> After setting user info
java.lang.IndexOutOfBoundsException: Index: 0, Size: 0 --> {Tried to access second realm }
        at java.util.LinkedList.entry(LinkedList.java:356)
        at java.util.LinkedList.get(LinkedList.java:299)
        at sun.net.www.protocol.http.PathMap.get(AuthenticationInfo.java:375)
        at sun.net.www.protocol.http.AuthenticationInfo.getAuth(AuthenticationInfo.java:181)
        at sun.net.www.protocol.http.AuthenticationInfo.getServerAuth(AuthenticationInfo.java:171)
        at sun.net.www.protocol.http.HttpURLConnection.getServerAuthentication(HttpURLConnection.java:951)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:611)
        at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:238)
        at BasicAuthTestCase.main(BasicAuthTestCase.java:34)



                                    

Comments
EVALUATION

This only happens when the two realms have the same "realm string" so
to speak, which would be unusual in practice, but it does
expose an erroneous assumption in the source code, which causes
the crash.

The solution is simply to check for an empty linked list
and return null 

AuthenticationInfo.java:
370c370
<       if (list == null) {
---
>       if (list == null || list.size() == 0) {

###@###.### 2002-05-02
                                     
2002-05-02
SUGGESTED FIX

!sccsdiff -e ../../src/share/classes/sun/net/www/protocol/http/AuthenticationInfo.java
1.24
404 lines
2c2
<  * @(#)AuthenticationInfo.java        1.24 02/04/15
---
>  * %W% %E%
27c27
<  * @version 1.24, 04/15/02 
---
>  * @version %I%, %G% 
370c370
<       if (list == null) {
---
>       if (list == null || list.size() == 0) {

New regression test is in test/java/net/Authenticator/BasicTest5.java
(not integrated yet).
                                     
2004-06-11
CONVERTED DATA

BugTraq+ Release Management Values

COMMIT TO FIX:
mantis

FIXED IN:
mantis

INTEGRATED IN:
mantis
mantis-b04


                                     
2004-06-14



Hardware and Software, Engineered to Work Together