SEC-2744: BasicAuthenticationFilter decodes the Passwords with UTF-8

[spring-projects-issues]

Rob Winch (Migrated from SEC-2744) said:

All browser encode the Password in BasicAuthentification in ISO-8859-1.

See: Stackoverflow Discussion http://stackoverflow.com/questions/7242316/what-encoding-should-i-use-for-http-basic-authentication

The BasisAuthentificationFilter explicitly decodes using UTF-8.

This broke Authentification with Umlauts in the password (example: passwordöäü) for me.

Further Analysis:
Chrome encodes the AuthentificationInfo with UTF-8
Firefox and IE use ISO8859-1

private String[] extractAndDecodeHeader(String header, HttpServletRequest request) throws IOException {

byte[] base64Token = header.substring(6).getBytes("UTF-8");

[Martin-Luft]

The bug is still present.
A password with umlauts works only in Chrome but not in Firefox or Internet Explorer.

But the problem is not byte[] base64Token = header.substring(6).getBytes("UTF-8"); because a Base64 token only contains encoding independent characters (you can use every encoding you want).

The problem is another and results in a draft:
https://tools.ietf.org/id/draft-reschke-basicauth-enc-00.html

So the solution should be:

On the other hand, the strategy below may already improve the user-visible behavior today:

In the first authentication request, choose the character encoding based on the user's credentials: if they do not need any characters outside the ISO-8859-1 character set, default to ISO-8859-1, otherwise use UTF-8.
If the first attempt failed and the encoding used was ISO-8859-1, retry once with UTF-8 encoding instead.

I created a PR:
#3966

[Martin-Luft]

@jgrandja can you close this issue please?

[jgrandja]

@Martin-Wegner For sure.

[jgrandja]

A solution to this Issue can be found here