[SERVER-5890] HTTP Digest authentication doesn't work with Internet Explorer Created: 21/May/12 Updated: 11/Jul/16 Resolved: 20/Aug/12 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | HTTP Console |
| Affects Version/s: | 2.0.7, 2.2.0-rc1 |
| Fix Version/s: | 2.2.1, 2.3.0 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Eliot Horowitz (Inactive) | Assignee: | Tad Marshall |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Any server platform, web client is Internet Explorer (tested with IE 9) |
||
| Attachments: |
|
| Backwards Compatibility: | Fully Compatible |
| Operating System: | ALL |
| Participants: |
| Description |
|
When the MongoDB web interface is running on a server and authentication is enabled, clients connecting over the network (i.e. not from localhost) are unable to authenticate with the HTTP interface if their client web browser is Internet Explorer. |
| Comments |
| Comment by auto [ 12/Sep/12 ] | |||
|
Author: {u'date': u'2012-08-20T05:21:59-07:00', u'email': u'tad@10gen.com', u'name': u'Tad Marshall'}Message: Change the regular expression used to parse the Digest line sent in the | |||
| Comment by Tad Marshall [ 20/Aug/12 ] | |||
|
Fixed in master. | |||
| Comment by auto [ 20/Aug/12 ] | |||
|
Author: {u'date': u'2012-08-20T05:21:59-07:00', u'email': u'tad@10gen.com', u'name': u'Tad Marshall'}Message: Change the regular expression used to parse the Digest line sent in the | |||
| Comment by Tad Marshall [ 20/Aug/12 ] | |||
|
The Digest line in the HTTP GET headers for Digest authentication sent by Internet Explorer does not contain a space after the comma separating components. Firefox and Chrome mostly follow a comma with a space, except after "qop=auth". The regular expression used by MongoDB requires the space. This makes the entire string following "username" be treated as the username for Internet Explorer. Tested with username="root", password="password": Chrome:
Firefox:
Internet Explorer 9:
Richard, I suspect that you were fooled by word wrap in your editor. There is no line break in the line sent by Internet Explorer. | |||
| Comment by Richard Kreuter (Inactive) [ 16/Aug/12 ] | |||
|
iereq2.txt – headers that differ only from req.txt in that there's a newline and a horizontal tab after the token "Digest" in the "Authorization" header. I think these ought to be conforming HTTP headers, but mongod doesn't like them. | |||
| Comment by Richard Kreuter (Inactive) [ 16/Aug/12 ] | |||
|
Saw this problem appear with users running IE7 and IE9. It was not possible to get their IE HTTP headers verbatim, but the only interesting difference between Firefox headers and IE headers was a newline in the Authorization header. By inspection, taking the headers my Firefox produces and inserting a newline after the "Digest" token suffices to cause authentication to fail. As it happens, the IE-like header text does not conform to RFC 1945 section 4.2, inasmuch as the line beginning with "username" is not indented in the manner that a continuation line should. http://www.freesoft.org/CIE/RFC/1945/23.htm In any case, mongod's webserver doesn't handle conforming headers that employ the indentation-as-continuation syntax. (Will attach another set of headers that I think are conforming but that mongod doesn't parse properly.) During these tests, the admin username was "foo", with password "bar". The offending code is the implementation of mongo::MiniWebServer::MiniWebServer:getHeader() in util/net/miniwebserver.cpp. | |||
| Comment by Richard Kreuter (Inactive) [ 16/Aug/12 ] | |||
|
req.txt – HTTP headers as produced by a recent (ca. Aug 16, 2012) Firefox iereq.txt – HTTP headers mangled from the Firefox headers by inserting a newline after the "Digest" token in the "Authorization" header. By inspection, this is the only interesting difference between Firefox headers and IE headers. |