Double requests being sent to server with auth about collect HOT 12 CLOSED

Fixed with this patch. I think this should be classified as an enhancement.

"The patch should probably be changed to do preemptive auth only if the target host
port is 8443 or 443; what we really want to do is only send credentials if the intended
scheme is https, but I don't know how to do that."
-- mitch

This issue was closed by revision 9b24ad8c72e0.

I realized I attached the wrong patch to this. The proper one is attached to this message.
It includes a new function in WebUtils.java.

I'm not quite sure I understand Mitch's comment above. If I did perhaps I could suggest
something.

The issue with your patch is that you don't check that the communications channel is
running within an HTTPS pipe before proactively attaching the username and password.
 Basic auth credentials are sent in plaintext (base64 encoded). By not first ensuring
you are operating within an HTTPS pipe, you have ended up broadcasting your username
and password, in plaintext, to the world.

Not sure what fix carl and yaw implemented, but a simple check to mitigate this erroneous
wide disclosure of username and password is to first ensure that the server is being
contacted on port 443 or 8443; those are, by convention, the https and non-privileged
alternate https ports for a webserver.

I understand what you're saying now. I'll take a crack at this and get back to y'all.

I think a change accomplishing this was checked into the code base and is already in
the mainline.

I believe that was on a different but related issue. I have checked the trunk and this
issue still exists. My patch fixes it, but your earlier comment still applies and I
will address it when I get time.