dev@grizzly.java.net

Re: Fwd: Re: url with password

From: Oleksiy Stashok <oleksiy.stashok_at_oracle.com>
Date: Mon, 11 Jul 2011 16:36:26 +0200

On 07/11/2011 04:18 PM, Justin Lee wrote:
> It's an interesting question. I know i've seen it in all kinds of
> contexts. Even, e.g., the ssh urls used for git. Is this something
> we should consider for 2.x at some point?
for ssh (and probably git) it's normal, cause the payload is getting
encrypted, but for plain HTTP not.
We can add support for user:password on HttpCodec level. Let's say there
will be some allowURLAuth flag, and if it's true - we normally parse the
URI and keep its initial form (as we do now) alone with user:password,
so if somebody needs user:password - he has to extract it from request
URI himself.

Alexey.

>
> -------- Original Message --------
> Subject: Re: url with password
> Date: Mon, 11 Jul 2011 10:21:06 +0200
> From: Benoit DECHERF <bdecherf_at_gmail.com>
> Reply-To: users_at_grizzly.java.net
> To: users_at_grizzly.java.net
>
>
>
> Sure, this is not safe :)
>
> But it is used in several context, like in my case the couchdb
> replication : http://wiki.apache.org/couchdb/Replication#Run_Replication
> You are right that this type of url is incorrect.
> (http://www.ietf.org/rfc/rfc1738.txt explicitly says: No user
> name or password isallowed
>
> Anyway, I found a workaround for my case, but I thought that grizzly
> should support this.
>
> Thanks for your response,
> Benoit
>
>
> 2011/7/11 Oleksiy Stashok <oleksiy.stashok_at_oracle.com
> <mailto:oleksiy.stashok_at_oracle.com>>
>
> Hi Benoit,
>
> according to spec [1], HTTP URL is defined as
> http_URL = "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]]
>
> and anyway IMO it's not safe to pass password as part of URL.
>
> You might want to use basic or digest authentication [2].
>
> Thanks.
>
> WBR,
> Alexey.
>
> [1] http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.2.2
> [2] http://www.ietf.org/rfc/rfc2617.txt
>
>
> On 07/10/2011 02:21 PM, Benoit DECHERF wrote:
>
> Hi,
>
> I think there is a bug in the ProcessorTask class:
> An url with a password like http://user:password@host:port/
> cannot be parsed correctly.
> Is there a workaround ? I can't find a bug for this. Should I
> create one or can it be a configuration error in my code ?
>
> Benoit
>
>
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.