JDK-4615330 : REGRESSION: error in URLConnection.setRequestProperty with Base64 encoded str
  • Type: Bug
  • Component: core-libs
  • Sub-Component: java.net
  • Affected Version: 1.4.0
  • Priority: P4
  • Status: Closed
  • Resolution: Not an Issue
  • OS: windows_2000
  • CPU: x86
  • Submitted: 2001-12-18
  • Updated: 2001-12-24
  • Resolved: 2001-12-24
Description

Name: nt126004			Date: 12/18/2001


FULL PRODUCT VERSION :
java version "1.3.1_01"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.1_01)
Java HotSpot(TM) Client VM (build 1.3.1_01, mixed mode)

java version "1.4.0-beta3"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.0-beta3-b84)
Java HotSpot(TM) Client VM (build 1.4.0-beta3-b84, mixed mode)

FULL OPERATING SYSTEM VERSION : 
Microsoft Windows 2000 [Version 5.00.2195]

A DESCRIPTION OF THE PROBLEM :
Passing a Base64Encoded string to method setRequestProperty
of the URLConnection class causes the following error to be
thrown:

java.lang.IllegalArgumentException: Illegal character(s) in
message header value: Basic bGF3c29uOmxhd3Nvbg=="

This negates the ability to retrieve data from an http url
that requires basic authentication.

It looks like this is the result of the fix for bug 4459903


STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Compile code listed below
2. run program
3. view error output

EXPECTED VERSUS ACTUAL BEHAVIOR :
The program should simply return the Yahoo home page (the
web server will ignore the "Authourization" header).  The
call to Yahoo is never completed, the error listed below is
thrown.

ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.lang.IllegalArgumentException: Illegal character(s) in
message header value: Basic bGF3c29uOmxhd3Nvbg=="

This bug can be reproduced always.

---------- BEGIN SOURCE ----------
import java.io.*;
import java.net.*;
import java.text.*;
import java.util.*;

// Base 64 Coders
import sun.misc.BASE64Decoder;
import sun.misc.BASE64Encoder;

class setHeaderTest
{
	public static void main(String args[])
		throws Exception
	{
		System.out.println(setHeaderTest.FetchURL
("http://www.yahoo.com","user","password"));
	}

	public static String FetchURL (String urlString,String uid,String pw)
		throws java.io.IOException,  java.net.MalformedURLException
	{
		String outStr = new String();
		URL url = new URL (urlString);

		String User = uid+":"+pw;
		BASE64Encoder encoder = new BASE64Encoder();
		String encoding = new String
(encoder.encodeBuffer(User.getBytes()));
		URLConnection uc = url.openConnection();
		uc.setRequestProperty
("Authorization", "Basic " + encoding);

		InputStream content = (InputStream)
uc.getContent();
		BufferedReader in = new BufferedReader (new
InputStreamReader (content));
		String line;
		while ((line = in.readLine()) != null) {
			outStr += line;
		}

		return outStr;
	}

}
---------- END SOURCE ----------

CUSTOMER WORKAROUND :
There is no work around for this issue outside of writing a
custom socket solution.

Release Regression From : 1.3
The above release value was the last known release where this 
bug was knwon to work. Since then there has been a regression.

(Review ID: 137400) 
======================================================================

Comments
WORK AROUND 1. Instead of using BASE64Encoder.encodeBuffer() which will add a '\n' at the end of the encoded output, use BASE64Encoder.encode(); or 2. Modify the test to something like the following: import java.io.*; import java.net.*; import java.text.*; import java.util.*; class setHeaderTest { public static void main(String args[]) throws Exception { System.out.println(new setHeaderTest().FetchURL ("http://www.yahoo.com")); } public String FetchURL (String urlString) throws java.io.IOException, java.net.MalformedURLException { Authenticator.setDefault(new MyAuthenticator ()); String outStr = new String(); URL url = new URL (urlString); URLConnection uc = url.openConnection(); InputStream content = (InputStream) uc.getContent(); BufferedReader in = new BufferedReader (new InputStreamReader (content)); String line; while ((line = in.readLine()) != null) { outStr += line; } return outStr; } class MyAuthenticator extends Authenticator { MyAuthenticator () { super (); } public PasswordAuthentication getPasswordAuthentication () { return (new PasswordAuthentication ("user", "password".toCharArray())); } } }
11-06-2004

EVALUATION This regression was introduced as a result of fixing bug 4447135. The fix would disallow '\n' inside the key or consecutive '\n's inside the value of http headers. Please see 'Work Around' for viable workaround. ###@###.### 2001-12-20 According to RFC 2616, CRLF is not allowed in http header names; consecutive CRLFs are not allowed in http header values. So the customer's program needs to be changed as recommended in the 'Work Around...". I will close this bug as 'not a bug'. ###@###.### 2001-12-24
24-12-2001