Kedar asked me to look into this.
Yes, it's a bug. I'll fix it ASAP.
FYI, the problem is that the HTTP Authorization header field includes data
that follows this syntax:
[code]
basic-credentials = base64-user-pass
base64-user-pass = <base64 [4] encoding of user-pass,
except not limited to 76 char/line>
user-pass = userid ":" password
userid = *<TEXT excluding ":">
password = *TEXT
[/code]
That is, the username may not include a colon, but the password may.
The code was using String.split(":") to separate the two fields. Oops.
[Message sent by forum member 'shannon' (bill.shannon_at_sun.com)]
http://forums.java.net/jive/thread.jspa?messageID=366101