Ben M. created SHIRO-678:
----------------------------
Summary: Strings garbled when POST without JSESSIONID cookie
Key: SHIRO-678
URL: https://issues.apache.org/jira/browse/SHIRO-678
Project: Shiro
Issue Type: Bug
Components: jax-rs, Session Management, Web
Affects Versions: 1.4.0
Environment: OS: Linux (SLES Enterprise 11SP4, Ubuntu 18.04.x),
Windows 10.
ApplicationServers: LibertyProfile 18.0.0.2, 18.0.04, 19.0.01 and OpenLiberty
19.0.0.1.
Reporter: Ben M.
Dear all,
I created a login endpoint using jaxrs-2.1 and a simple form based
authentication.
If I supply a password with German Umlauts (äöü etc.) and do NOT supply any
JSESSIONID (any invalid would do), the received string will be mojibake.
However, if I supply a JSESSIONID (even an invalid JSESSIONID would do), the
received String will be just fine.
h2. Example servlet
Here's an example endpoint:
{code:java}
@Path("/api")
public class JaxRsEndpoint {
@POST
@Path("/login")
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@Produces(MediaType.APPLICATION_JSON)
public Response doLogin(
@DefaultValue("") @FormParam("l_username") final String username, //
login username
@DefaultValue("") @FormParam("l_password") final String password // login
password
) {
Map<String, String> receivedData = new ConcurrentHashMap<>();
receivedData.put("l_username", username);
receivedData.put("l_password", password);
return Response.ok()
.entity(unmodifiableMap(receivedData))
.build();
}
}
{code}
h2. web.xml
Here's the required web.xml configuration:
{code:xml}
<web-app id="WebApp_ID"
version="3.1"
xmlns="http://xmlns.jcp.org/xml/ns/javaee";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd";>
<display-name>jaxrs-multipart-encoding</display-name>
<servlet>
<servlet-name>javax.ws.rs.core.Application</servlet-name>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>javax.ws.rs.core.Application</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
</web-app>
{code}
h2. Test 1 (NOT working):
{code:java}
$ curl -i -XPOST --url "http://localhost:9080/formdata/api/login"; -d
'l_username=user&l_password=äöü'; echo ""
HTTP/1.1 200 OK
Content-Type: application/json
Date: Tue, 05 Mar 2019 08:59:32 GMT
Content-Language: en-EN
Content-Length: 49
{"l_username":"user","l_password":"äöü"}
{code}
h2. Test 2 (working as expected):
{code:java}
$ curl -i -XPOST --cookie 'JSESSIONID=0' --url
"http://localhost:9080/formdata/api/login"; -d 'l_username=user&l_password=äöü';
echo ""
HTTP/1.1 200 OK
Content-Type: application/json
Date: Tue, 05 Mar 2019 08:57:51 GMT
Content-Language: en-EN
Content-Length: 43
{"l_username":"user","l_password":"äöü"}
{code}
h2. shiro.ini
{code:java}
shiro.loginUrl = /api/login
shiro.successUrl = /overview
shiro.usernameParam = l_username
shiro.passwordParam = l_password
shiro.rememberMeParam = rememberMe
# Session handling.
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
# 3,600,000 milliseconds = 1 hour
# 7200000 = 2h
sessionManager.globalSessionTimeout = 7200000
# Use the configured native session manager:
securityManager.sessionManager = $sessionManager
# Cache
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
securityManager.sessionManager.sessionDAO = $sessionDAO
# URL Configuration
[urls]
/* = anon
{code}
I have looked through the source code but was unable to find a reason why this
may occur.
This bug does not occur when NOT using Shiro. This means the shiro filter seems
to do some damage, but only when the jsessionid cookie is NOT supplied.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
