It's an interesting question. I know i've seen it in all kinds of
contexts. Even, e.g., the ssh urls used for git. Is this something we
should consider for 2.x at some point?
-------- Original Message --------
Subject: Re: url with password
Date: Mon, 11 Jul 2011 10:21:06 +0200
From: Benoit DECHERF <bdecherf_at_gmail.com>
Reply-To: users_at_grizzly.java.net
To: users_at_grizzly.java.net
Sure, this is not safe :)
But it is used in several context, like in my case the couchdb
replication :
http://wiki.apache.org/couchdb/Replication#Run_Replication
You are right that this type of url is incorrect.
(
http://www.ietf.org/rfc/rfc1738.txt explicitly says: No user name or
password isallowed
Anyway, I found a workaround for my case, but I thought that grizzly
should support this.
Thanks for your response,
Benoit
2011/7/11 Oleksiy Stashok <oleksiy.stashok_at_oracle.com
<mailto:oleksiy.stashok_at_oracle.com>>
Hi Benoit,
according to spec [1], HTTP URL is defined as
http_URL = "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]]
and anyway IMO it's not safe to pass password as part of URL.
You might want to use basic or digest authentication [2].
Thanks.
WBR,
Alexey.
[1]
http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.2
[2]
http://www.ietf.org/rfc/rfc2617.txt
On 07/10/2011 02:21 PM, Benoit DECHERF wrote:
Hi,
I think there is a bug in the ProcessorTask class:
An url with a password like
http://user:password@host:port/
cannot be parsed correctly.
Is there a workaround ? I can't find a bug for this. Should I
create one or can it be a configuration error in my code ?
Benoit