Prevent possible disclosure of host name or IP address via the HTTP WWW-Authenticate header when using BASIC or DIGEST authentication.
git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@936539
13f79535-47bb-0310-9956-
ffa450edef68
protected static final String AUTH_HEADER_NAME = "WWW-Authenticate";
/**
+ * Default authentication realm name.
+ */
+ protected static final String REALM_NAME = "Authentication required";
+
+ /**
* The message digest algorithm to be used when generating session
* identifiers. This must be an algorithm supported by the
* <code>java.security.MessageDigest</code> class on your platform.
StringBuilder value = new StringBuilder(16);
value.append("Basic realm=\"");
if (config.getRealmName() == null) {
- value.append(request.getServerName());
- value.append(':');
- value.append(Integer.toString(request.getServerPort()));
+ value.append(REALM_NAME);
} else {
value.append(config.getRealmName());
}
// Get the realm name
String realmName = config.getRealmName();
if (realmName == null)
- realmName = request.getServerName() + ":"
- + request.getServerPort();
+ realmName = REALM_NAME;
byte[] buffer = null;
synchronized (md5Helper) {
<code>{cleartext-password}</code> must be replaced with
<code>{username}:{realm}:{cleartext-password}</code>. For example, in a
development environment this might take the form
- <code>testUser:localhost:8080:testPassword</code>.</p>
+ <code>testUser:Authentication required:testPassword</code>. The value for
+ <code>{realm}</code> is taken from the <code><realm-name></code>
+ element of the web application's <code><login-config></code>. If
+ not specified in web.xml, the default value of <code>Authentication
+ required</code> is used.</p>
<p>To use either of the above techniques, the
<code>$CATALINA_HOME/lib/catalina.jar</code> and
projects / tomcat7.0 / commitdiff