[jira] [Commented] (SHIRO-678) Strings garbled when POST without JSESSIONID cookie

[Brian Demers (Jira)]

    [ 
https://issues.apache.org/jira/browse/SHIRO-678?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17028112#comment-17028112
 ] 

Brian Demers commented on SHIRO-678:
------------------------------------

I’m actually more interested in your non-Shiro example more (I was able to 
reproduce from you code above), but, it was “expected behavior” based on the 
Servlet spec. 

That said, Shiro shouldn’t be changing this behavior in the container.

> Strings garbled when POST without JSESSIONID cookie
> ---------------------------------------------------
>
>                 Key: SHIRO-678
>                 URL: https://issues.apache.org/jira/browse/SHIRO-678
>             Project: Shiro
>          Issue Type: Bug
>          Components: jax-rs, Session Management, Web
>    Affects Versions: 1.4.0
>         Environment: OS: Linux (SLES Enterprise 11SP4, Ubuntu 18.04.x), 
> Windows 10.
> ApplicationServers: LibertyProfile 18.0.0.2, 18.0.04, 19.0.01 and OpenLiberty 
> 19.0.0.1.
>            Reporter: Benjamin Marwell
>            Priority: Major
>              Labels: easyfix
>             Fix For: 1.5.1
>
>
> Dear all,
> I created a login endpoint using jaxrs-2.1 and a simple form based 
> authentication.
> If I supply a password with German Umlauts (äöü etc.) and do NOT supply any 
> JSESSIONID (any invalid would do), the received string will be mojibake.
> However, if I supply a JSESSIONID (even an invalid JSESSIONID would do), the 
> received String will be just fine.
> h2. Example servlet
> Here's an example endpoint:
> {code:java}
> @Path("/api")
> public class JaxRsEndpoint {
>   @POST
>   @Path("/login")
>   @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
>   @Produces(MediaType.APPLICATION_JSON)
>   public Response doLogin(
>       @DefaultValue("") @FormParam("l_username") final String username, // 
> login username
>       @DefaultValue("") @FormParam("l_password") final String password // 
> login password
>   ) {
>     Map<String, String> receivedData = new ConcurrentHashMap<>();
>     receivedData.put("l_username", username);
>     receivedData.put("l_password", password);
>     return Response.ok()
>         .entity(unmodifiableMap(receivedData))
>         .build();
>   }
> }
> {code}
>  
> h2. web.xml
> Here's the required web.xml configuration:
> {code:xml}
> <web-app id="WebApp_ID"
>                                version="3.1"
>                                xmlns="http://xmlns.jcp.org/xml/ns/javaee";
>                                
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>                                
> xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee 
> http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd";>
>       <display-name>jaxrs-multipart-encoding</display-name>
>       <servlet>
>               <servlet-name>javax.ws.rs.core.Application</servlet-name>
>               <load-on-startup>1</load-on-startup>
>       </servlet>
>       <servlet-mapping>
>               <servlet-name>javax.ws.rs.core.Application</servlet-name>
>               <url-pattern>/*</url-pattern>
>       </servlet-mapping>
>       <listener>
>               
> <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
>       </listener>
>       <filter>
>               <filter-name>ShiroFilter</filter-name>
>               
> <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
>       </filter>
>       <filter-mapping>
>               <filter-name>ShiroFilter</filter-name>
>               <url-pattern>/*</url-pattern>
>               <dispatcher>REQUEST</dispatcher>
>               <dispatcher>FORWARD</dispatcher>
>               <dispatcher>INCLUDE</dispatcher>
>               <dispatcher>ERROR</dispatcher>
>       </filter-mapping>
> </web-app>
> {code}
>  
> h2. Test 1 (NOT working):
> {code:java}
> $ curl -i -XPOST --url "http://localhost:9080/formdata/api/login"; -d 
> 'l_username=user&l_password=äöü'; echo ""
> HTTP/1.1 200 OK
> Content-Type: application/json
> Date: Tue, 05 Mar 2019 08:59:32 GMT
> Content-Language: en-EN
> Content-Length: 49
> {"l_username":"user","l_password":"äöü"}
> {code}
> h2. Test 2 (working as expected):
> {code:java}
> $ curl -i -XPOST --cookie 'JSESSIONID=0'  --url 
> "http://localhost:9080/formdata/api/login"; -d 
> 'l_username=user&l_password=äöü'; echo "" 
> HTTP/1.1 200 OK
> Content-Type: application/json
> Date: Tue, 05 Mar 2019 08:57:51 GMT
> Content-Language: en-EN
> Content-Length: 43
> {"l_username":"user","l_password":"äöü"}
> {code}
>  
> h2. shiro.ini
> {code:java}
> shiro.loginUrl = /api/login
> shiro.successUrl = /overview
> shiro.usernameParam = l_username
> shiro.passwordParam = l_password
> shiro.rememberMeParam = rememberMe
> # Session handling.
> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
> # 3,600,000 milliseconds = 1 hour
> # 7200000 = 2h
> sessionManager.globalSessionTimeout = 7200000
> # Use the configured native session manager:
> securityManager.sessionManager = $sessionManager
> # Cache
> sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
> securityManager.sessionManager.sessionDAO = $sessionDAO
> # URL Configuration
> [urls]
> /* = anon
> {code}
> I have looked through the source code but was unable to find a reason why 
> this may occur.
>  
> This bug does not occur when NOT using Shiro. This means the shiro filter 
> seems to do some damage, but only when the jsessionid cookie is NOT supplied.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)