JDK-7130840 : not re-challenged when mis-enter the credentials if you select "Save this password in your passowrd"
  • Type: Bug
  • Component: deploy
  • Sub-Component: deployment_toolkit
  • Affected Version: 7u2
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • OS: windows_xp
  • CPU: x86
  • Submitted: 2012-01-17
  • Updated: 2013-12-09
  • Resolved: 2012-09-19
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7 JDK 8
7u10Fixed 8 b57Fixed
Description
Normally if you are challenged for HTTP basic authentication and mis-enter the credentials, you are re-challenged. Recently discovered that at least in Java 7 Update 2 and Java 6 Update 30, this is not the case if you select the "Save this password in your password list" checkbox.

Not expect this checkbox to prevent the user from being re-challenged if the credentials are not accepted.  Certainly browsers don't behave that way for a similar checkbox.

Overall this causes confusion when deeper exceptions occur due to the failure of the credentials rather than the user simply being re-prompted for these credentials.


Note that 'http://jessh0l.ptcnet.ptc.com/PDMLinkX22/servlet/WindchillAuthGW/wt.httpgw.HTTPAuthentication/login' requires HTTP basic authentication.  I chose a URL not ending in a file extension as I know that for some (inexplicable) reason this particular Java Plug-In code has been influenced by this -- and this URL is actually the one our applet is having issues with.

The applet is a very rudimentary 100% x 100% applet.  Clicking on it will cause an attempt to open a URL connection and get the result status.

If one enters the correct credentials, a 200 response is returned -- no suprise.

If one enters incorrect credentials but leaves the "Save this password in your password list" checkbox unchecked, then you are immediately reprompted for the correct credentials.  As long as you eventually enter the correct credential, a 200 response is returned.

If one enters incorrect credentials *and* checks the "Save this password in your password list" checkbox, then the user is not prompted for the correct credentials and a 401 response is immediately returned.  Subsequent attempts with the same applet in this or other browser sessions also do not prompt for correct credentials and result in immediate 401 responses.  Removing the auth.dat file (or logging out at the OS level) resolves the issue.

The expected behavior is that the credentials are only saved *if* they were correct.  Otherwise one should instead by re-prompted for correct credentials.

Comments
verified with jre8 b117
09-12-2013

Need to add a step to javaws manual tests to track this issue in future, test bug filed https://jbs.oracle.com/bugs/browse/INTJDK-7600556
13-11-2012

EVALUATION a simpilar solution is to count the number of times the same site is asked fro credentials in a row. The networking code will recall the authenticator twenty times if it is returning incorrect credentials. After some number of such calls, we can assume the credentials were incorrect. Would be easier if we could just get that fact from the networking code - have asked net team to advise.
06-09-2012

EVALUATION could solve this by only saving the credentials in a hash map when user selects save, then not really saving them till the connection succeeds - byt seems like a kluge - asking networking team for advise on best approach.
30-08-2012