[
https://issues.apache.org/jira/browse/SHIRO-678?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ben M. updated SHIRO-678:
-------------------------
Description:
Dear all,
I created a login endpoint using jaxrs-2.1 and a simple form based
authentication.
If I supply a password with German Umlauts (äöü etc.) and do NOT supply any
JSESSIONID (any invalid would do), the received string will be mojibake.
However, if I supply a JSESSIONID (even an invalid JSESSIONID would do), the
received String will be just fine.
h2. Example servlet
Here's an example endpoint:
{code:java}
@Path("/api")
public class JaxRsEndpoint {
@POST
@Path("/login")
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@Produces(MediaType.APPLICATION_JSON)
public Response doLogin(
@DefaultValue("") @FormParam("l_username") final String username, //
login username
@DefaultValue("") @FormParam("l_password") final String password // login
password
) {
Map<String, String> receivedData = new ConcurrentHashMap<>();
receivedData.put("l_username", username);
receivedData.put("l_password", password);
return Response.ok()
.entity(unmodifiableMap(receivedData))
.build();
}
}
{code}
h2. web.xml
Here's the required web.xml configuration:
{code:xml}
<web-app id="WebApp_ID"
version="3.1"
xmlns="http://xmlns.jcp.org/xml/ns/javaee";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd";>
<display-name>jaxrs-multipart-encoding</display-name>
<servlet>
<servlet-name>javax.ws.rs.core.Application</servlet-name>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>javax.ws.rs.core.Application</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
</web-app>
{code}
h2. Test 1 (NOT working):
{code:java}
$ curl -i -XPOST --url "http://localhost:9080/formdata/api/login"; -d
'l_username=user&l_password=äöü'; echo ""
HTTP/1.1 200 OK
Content-Type: application/json
Date: Tue, 05 Mar 2019 08:59:32 GMT
Content-Language: en-EN
Content-Length: 49
{"l_username":"user","l_password":"äöü"}
{code}
h2. Test 2 (working as expected):
{code:java}
$ curl -i -XPOST --cookie 'JSESSIONID=0' --url
"http://localhost:9080/formdata/api/login"; -d 'l_username=user&l_password=äöü';
echo ""
HTTP/1.1 200 OK
Content-Type: application/json
Date: Tue, 05 Mar 2019 08:57:51 GMT
Content-Language: en-EN
Content-Length: 43
{"l_username":"user","l_password":"äöü"}
{code}
h2. shiro.ini
{code:java}
shiro.loginUrl = /api/login
shiro.successUrl = /overview
shiro.usernameParam = l_username
shiro.passwordParam = l_password
shiro.rememberMeParam = rememberMe
# Session handling.
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
# 3,600,000 milliseconds = 1 hour
# 7200000 = 2h
sessionManager.globalSessionTimeout = 7200000
# Use the configured native session manager:
securityManager.sessionManager = $sessionManager
# Cache
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
securityManager.sessionManager.sessionDAO = $sessionDAO
# URL Configuration
[urls]
/* = anon
{code}
I have looked through the source code but was unable to find a reason why this
may occur.
This bug does not occur when NOT using Shiro. This means the shiro filter seems
to do some damage, but only when the jsessionid cookie is NOT supplied.
was:
Dear all,
I created a login endpoint using jaxrs-2.1 and a simple form based
authentication.
If I supply a password with German Umlauts (äöü etc.) and do NOT supply any
JSESSIONID (any invalid would do), the received string will be mojibake.
However, if I supply a JSESSIONID (even an invalid JSESSIONID would do), the
received String will be just fine.
h2. Example servlet
Here's an example endpoint:
{code:java}
@Path("/api")
public class JaxRsEndpoint {
@POST
@Path("/login")
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@Produces(MediaType.APPLICATION_JSON)
public Response doLogin(
@DefaultValue("") @FormParam("l_username") final String username, //
login username
@DefaultValue("") @FormParam("l_password") final String password // login
password
) {
Map<String, String> receivedData = new ConcurrentHashMap<>();
receivedData.put("l_username", username);
receivedData.put("l_password", password);
return Response.ok()
.entity(unmodifiableMap(receivedData))
.build();
}
}
{code}
h2. web.xml
Here's the required web.xml configuration:
{code:xml}
<web-app id="WebApp_ID"
version="3.1"
xmlns="http://xmlns.jcp.org/xml/ns/javaee";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd";>
<display-name>jaxrs-multipart-encoding</display-name>
<servlet>
<servlet-name>javax.ws.rs.core.Application</servlet-name>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>javax.ws.rs.core.Application</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
</web-app>
{code}
h2. Test 1 (NOT working):
{code:java}
$ curl -i -XPOST --url "http://localhost:9080/formdata/api/login"; -d
'l_username=user&l_password=äöü'; echo ""
HTTP/1.1 200 OK
Content-Type: application/json
Date: Tue, 05 Mar 2019 08:59:32 GMT
Content-Language: en-EN
Content-Length: 49
{"l_username":"user","l_password":"äöü"}
{code}
h2. Test 2 (working as expected):
{code:java}
$ curl -i -XPOST --cookie 'JSESSIONID=0' --url
"http://localhost:9080/formdata/api/login"; -d 'l_username=user&l_password=äöü';
echo ""
HTTP/1.1 200 OK
Content-Type: application/json
Date: Tue, 05 Mar 2019 08:57:51 GMT
Content-Language: en-EN
Content-Length: 43
{"l_username":"user","l_password":"äöü"}
{code}
h2. shiro.ini
{code:java}
shiro.loginUrl = /api/login
shiro.successUrl = /overview
shiro.usernameParam = l_username
shiro.passwordParam = l_password
shiro.rememberMeParam = rememberMe
# Session handling.
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
# 3,600,000 milliseconds = 1 hour
# 7200000 = 2h
sessionManager.globalSessionTimeout = 7200000
# Use the configured native session manager:
securityManager.sessionManager = $sessionManager
# Cache
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
securityManager.sessionManager.sessionDAO = $sessionDAO
# URL Configuration
[urls]
/* = anon
{code}
I have looked through the source code but was unable to find a reason why this
may occur.
This bug does not occur when NOT using Shiro. This means the shiro filter seems
to do some damage, but only when the jsessionid cookie is NOT supplied.
> Strings garbled when POST without JSESSIONID cookie
> ---------------------------------------------------
>
> Key: SHIRO-678
> URL: https://issues.apache.org/jira/browse/SHIRO-678
> Project: Shiro
> Issue Type: Bug
> Components: jax-rs, Session Management, Web
> Affects Versions: 1.4.0
> Environment: OS: Linux (SLES Enterprise 11SP4, Ubuntu 18.04.x),
> Windows 10.
> ApplicationServers: LibertyProfile 18.0.0.2, 18.0.04, 19.0.01 and OpenLiberty
> 19.0.0.1.
> Reporter: Ben M.
> Priority: Critical
> Labels: easyfix
>
> Dear all,
> I created a login endpoint using jaxrs-2.1 and a simple form based
> authentication.
> If I supply a password with German Umlauts (äöü etc.) and do NOT supply any
> JSESSIONID (any invalid would do), the received string will be mojibake.
> However, if I supply a JSESSIONID (even an invalid JSESSIONID would do), the
> received String will be just fine.
> h2. Example servlet
> Here's an example endpoint:
> {code:java}
> @Path("/api")
> public class JaxRsEndpoint {
> @POST
> @Path("/login")
> @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
> @Produces(MediaType.APPLICATION_JSON)
> public Response doLogin(
> @DefaultValue("") @FormParam("l_username") final String username, //
> login username
> @DefaultValue("") @FormParam("l_password") final String password //
> login password
> ) {
> Map<String, String> receivedData = new ConcurrentHashMap<>();
> receivedData.put("l_username", username);
> receivedData.put("l_password", password);
> return Response.ok()
> .entity(unmodifiableMap(receivedData))
> .build();
> }
> }
> {code}
>
> h2. web.xml
> Here's the required web.xml configuration:
> {code:xml}
> <web-app id="WebApp_ID"
> version="3.1"
> xmlns="http://xmlns.jcp.org/xml/ns/javaee";
>
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>
> xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
> http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd";>
> <display-name>jaxrs-multipart-encoding</display-name>
> <servlet>
> <servlet-name>javax.ws.rs.core.Application</servlet-name>
> <load-on-startup>1</load-on-startup>
> </servlet>
> <servlet-mapping>
> <servlet-name>javax.ws.rs.core.Application</servlet-name>
> <url-pattern>/*</url-pattern>
> </servlet-mapping>
> <listener>
>
> <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
> </listener>
> <filter>
> <filter-name>ShiroFilter</filter-name>
>
> <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
> </filter>
> <filter-mapping>
> <filter-name>ShiroFilter</filter-name>
> <url-pattern>/*</url-pattern>
> <dispatcher>REQUEST</dispatcher>
> <dispatcher>FORWARD</dispatcher>
> <dispatcher>INCLUDE</dispatcher>
> <dispatcher>ERROR</dispatcher>
> </filter-mapping>
> </web-app>
> {code}
>
> h2. Test 1 (NOT working):
> {code:java}
> $ curl -i -XPOST --url "http://localhost:9080/formdata/api/login"; -d
> 'l_username=user&l_password=äöü'; echo ""
> HTTP/1.1 200 OK
> Content-Type: application/json
> Date: Tue, 05 Mar 2019 08:59:32 GMT
> Content-Language: en-EN
> Content-Length: 49
> {"l_username":"user","l_password":"äöü"}
> {code}
> h2. Test 2 (working as expected):
> {code:java}
> $ curl -i -XPOST --cookie 'JSESSIONID=0' --url
> "http://localhost:9080/formdata/api/login"; -d
> 'l_username=user&l_password=äöü'; echo ""
> HTTP/1.1 200 OK
> Content-Type: application/json
> Date: Tue, 05 Mar 2019 08:57:51 GMT
> Content-Language: en-EN
> Content-Length: 43
> {"l_username":"user","l_password":"äöü"}
> {code}
>
> h2. shiro.ini
> {code:java}
> shiro.loginUrl = /api/login
> shiro.successUrl = /overview
> shiro.usernameParam = l_username
> shiro.passwordParam = l_password
> shiro.rememberMeParam = rememberMe
> # Session handling.
> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
> # 3,600,000 milliseconds = 1 hour
> # 7200000 = 2h
> sessionManager.globalSessionTimeout = 7200000
> # Use the configured native session manager:
> securityManager.sessionManager = $sessionManager
> # Cache
> sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
> securityManager.sessionManager.sessionDAO = $sessionDAO
> # URL Configuration
> [urls]
> /* = anon
> {code}
> I have looked through the source code but was unable to find a reason why
> this may occur.
>
> This bug does not occur when NOT using Shiro. This means the shiro filter
> seems to do some damage, but only when the jsessionid cookie is NOT supplied.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
