Specify `charset` in `WWW-Authenticate` for Basic Auth

[jbb01]

Expected Behavior

RFC7617 (The 'Basic' HTTP Authentication Scheme) defines an optional parameter charset in the WWW-Authenticate header that indicates the character encoding scheme the server expects the user agent to use when generating "user-pass". Spring Security currently expects the "user-pass" to be UTF-8 encoded by default, but does not include the charset parameter in the WWW-Authenticate header. The HttpBasicConfigurer does not expose a simple way to change the default charset or include the parameter; you have to implement your own AuthenticationEntryPoint.

Context

Some user agents, most notably the JDK's own HttpClient, rely on this parameter to choose the correct encoding and fall back to a different default charset (ISO-8859-1 in case of the HttpClient) which causes problems with passwords containing special characters.

The JDK's HttpClient doesn't even allow configuration of the charset when using an Authenticator instead of manually setting the Authorization header, which makes it incompatible with a standard Spring Security Basic Auth configuration.

[therepanic]

Thanks for reporting this, Jonah @jbb01.

It's really helpful that you provided an example of the problem this feature will solve. Thanks a lot. I've attached the PR #18760, you can check it out.