HTTP Authentication Problem

Hi Experts,

I have a very tricky problem with IBM WebSeal which is used as some kind of proxy which authenticates users against a LDAP server and then forwards the URL to the IS 6.0.1 SP2.

When connecting to the IS with the follwing HTTP Get request:
GET URL…
via: HTTP/1.1 server:80
host: server.test.com
user-agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0)
authorization: Basic WDgzOTg0OnNlY3JldA==
cache-control: no-cache
accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword, application/vnd.ms-powerpoint, /
accept-language: fr-be
accept-encoding: gzip, deflate
connection: close
Cookie: …

I get the error:
HTTP/1.0 401 Unauthorized

When I send the same request with an UPPERCASE A in authorization, it is working properly. Since the WebSeal only creates the lower case variant, my question is whether this behaviour can be changes on the IS. I can’t believe that the “Authorization” line has to be Uppercase for the A.

Any comments welcome
Joerg

If I understood you correctly, you’re saying this works with IS 6:
‘Authorization: Basic WDgzOTg0OnNlY3JldA==’
But this does NOT work:
‘authorization: Basic WDgzOTg0OnNlY3JldA==’
…right?

From what I recall, HTTP headers are case-insensitive (Here’s the relevant RFC section: http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2 . It says: “Each header field consists of a name followed by a colon (”:") and the field value. Field names are case-insensitive."

So ‘authorization’ should have worked.

> my question is whether this behaviour can be changes on the IS.
Hmm. I think you need to file a bug report. There’s probably some code somewhere in IS doing a string-compare to “Authorization”

Sonam,

you got it right. I was checking the RFC as well and it seems to be a bug in the HTTP implementation inside IS 6.0.1. I will send a bug report to the webMethods support to get this fixed…

Joerg

Joerg,

I have a posting tool created using java code. I tried using “Authorization” as well as “authorization” in my java code to set the credentials and I both of them worked when posting to WM 6.0.1.

I think the problem is with your proxy and not WM. In fact, when I try to set the wrong username/password combo the error that webMethods gives is :

HTTP/1.0 401 [ISS.0084.9001] Invalid credentials

and not

HTTP/1.0 401 Unauthorized

as you got. So your error must be coming from the proxy.

I agree Rupinder - good points.

Well,

I receive the error message “HTTP/1.0 401 Unauthorized” not through the proxy server, but by opening the port on the IS with a telnet and then pasting the HTTP header into the open session. Therefore this error is not directly related to the proxy, which is IBMs WebSEAL.

On the other hand I have tested this on another IS 6.0.1 server without the SP2 and there it seems to work properly with the lower case A. Very confusing. I will have to do some more checks tommorrow…

thx so far…
Joerg

We’ve had IS service packs break something before Joerg - so I won’t be surprising if the culprit is the SP.

BTW, do you mind posting your telnet session in which you spoofed basic authentication? I was trying to do one yesterday, but couldn’t get IS to accept it:

bash-2.05b$ telnet b2bdev1 5555
Trying 172.111.111.111…
Connected to b2bdev1.
Escape character is ‘^]’.
GET / HTTP/1.0
authorization: Basic cookoo2hesgdzvbdf9sfd97==

HTTP/1.0 401 [B2BSERV.0084.9001] Invalid credentials
WWW-Authenticate: Basic realm=“webMethods”
Connection: Close
Content-Length: 0

Connection closed by foreign host.