[SERVER-5890] HTTP Digest authentication doesn't work with Internet Explorer Created: 21/May/12  Updated: 11/Jul/16  Resolved: 20/Aug/12

Status: Closed
Project: Core Server
Component/s: HTTP Console
Affects Version/s: 2.0.7, 2.2.0-rc1
Fix Version/s: 2.2.1, 2.3.0

Type: Bug Priority: Major - P3
Reporter: Eliot Horowitz (Inactive) Assignee: Tad Marshall
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Any server platform, web client is Internet Explorer (tested with IE 9)


Attachments: Text File iereq.txt     Text File iereq2.txt     Text File req.txt    
Backwards Compatibility: Fully Compatible
Operating System: ALL
Participants:

 Description   

When the MongoDB web interface is running on a server and authentication is enabled, clients connecting over the network (i.e. not from localhost) are unable to authenticate with the HTTP interface if their client web browser is Internet Explorer.



 Comments   
Comment by auto [ 12/Sep/12 ]

Author:

{u'date': u'2012-08-20T05:21:59-07:00', u'email': u'tad@10gen.com', u'name': u'Tad Marshall'}

Message: SERVER-5890 do not require space after comma in Digest HTTP header

Change the regular expression used to parse the Digest line sent in the
HTTP GET headers for authentication so that whitespace following a comma
is optional (and can be other than a single space if it appears).
Branch: v2.2
https://github.com/mongodb/mongo/commit/d56d8026ba24983ec907dc6b804ade59b4738ac2

Comment by Tad Marshall [ 20/Aug/12 ]

Fixed in master.

Comment by auto [ 20/Aug/12 ]

Author:

{u'date': u'2012-08-20T05:21:59-07:00', u'email': u'tad@10gen.com', u'name': u'Tad Marshall'}

Message: SERVER-5890 do not require space after comma in Digest HTTP header

Change the regular expression used to parse the Digest line sent in the
HTTP GET headers for authentication so that whitespace following a comma
is optional (and can be other than a single space if it appears).
Branch: master
https://github.com/mongodb/mongo/commit/d388ca17b0413f7d8d7431e4673de7e6b6eaf444

Comment by Tad Marshall [ 20/Aug/12 ]

The Digest line in the HTTP GET headers for Digest authentication sent by Internet Explorer does not contain a space after the comma separating components. Firefox and Chrome mostly follow a comma with a space, except after "qop=auth". The regular expression used by MongoDB requires the space. This makes the entire string following "username" be treated as the username for Internet Explorer.

Tested with username="root", password="password":

Chrome:

Digest username="root", realm="mongo", nonce="abc", uri="/", algorithm=MD5, response="8aab0c6c3009710e7616877af9befad3", qop=auth,nc=00000001, cnonce="fe4c9936c14a0c1e"

Firefox:

Digest username="root", realm="mongo", nonce="abc", uri="/", algorithm=MD5, response="d8c92f504a6a1d6117068d005f4b86c9", qop=auth,nc=00000001, cnonce="72c992c11b4e452a"

Internet Explorer 9:

Digest username="root",realm="mongo",nonce="abc",uri="/",cnonce="31ce3f19b342bf42113d88384ba4b075",nc=00000001,algorithm=MD5,response="bbc113a3a705391060006d2a73249fb2",qop="auth"

Richard, I suspect that you were fooled by word wrap in your editor. There is no line break in the line sent by Internet Explorer.

Comment by Richard Kreuter (Inactive) [ 16/Aug/12 ]

iereq2.txt – headers that differ only from req.txt in that there's a newline and a horizontal tab after the token "Digest" in the "Authorization" header. I think these ought to be conforming HTTP headers, but mongod doesn't like them.

Comment by Richard Kreuter (Inactive) [ 16/Aug/12 ]

Saw this problem appear with users running IE7 and IE9. It was not possible to get their IE HTTP headers verbatim, but the only interesting difference between Firefox headers and IE headers was a newline in the Authorization header.

By inspection, taking the headers my Firefox produces and inserting a newline after the "Digest" token suffices to cause authentication to fail. As it happens, the IE-like header text does not conform to RFC 1945 section 4.2, inasmuch as the line beginning with "username" is not indented in the manner that a continuation line should.

http://www.freesoft.org/CIE/RFC/1945/23.htm

In any case, mongod's webserver doesn't handle conforming headers that employ the indentation-as-continuation syntax. (Will attach another set of headers that I think are conforming but that mongod doesn't parse properly.)

During these tests, the admin username was "foo", with password "bar".

The offending code is the implementation of mongo::MiniWebServer::MiniWebServer:getHeader() in util/net/miniwebserver.cpp.

Comment by Richard Kreuter (Inactive) [ 16/Aug/12 ]

req.txt – HTTP headers as produced by a recent (ca. Aug 16, 2012) Firefox

iereq.txt – HTTP headers mangled from the Firefox headers by inserting a newline after the "Digest" token in the "Authorization" header. By inspection, this is the only interesting difference between Firefox headers and IE headers.

Generated at Thu Feb 08 03:10:09 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.