On Thu, Aug 28, 2025 at 4:46 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
> Zoran,
>
> On 8/27/25 5:01 PM, Zoran Avtarovski wrote:
> > Really helped to know where the issue had changed.
>
> You might be able to fix this issue very quickly using this ALTER
> statement:
>
> ALTER TABLE user
> MODIFY COLUMN user_name varchar(255) NOT NULL <-- double-check this
> COLLATE utf8mb4_general_nopad_ci <-- Here is the magic
>
I would go with one of the three:
1) utf8mb4_0900_ai_ci (Alias for utf8mb4_uca1400_nopad_ai_ci) ("ai" means
accent insensitive. "ci" means case insensitive)
2) utf8mb4_0900_as_ci (Alias for utf8mb4_uca1400_nopad_as_ci )
3) utf8mb4_0900_as_cs (Alias for utf8mb4_uca1400_nopad_as_cs) .
The above mentioned collations are based on one of the latest versions of
unicode, 14 <https://www.unicode.org/versions/Unicode14.0.0/>. (Current
latest version is 16, but is not available in MariaDB.)
Citing https://dev.mysql.com/doc/refman/8.4/en/charset-unicode-sets.html ,
"comparisons for the utf8mb4_general_ci collation are faster, but slightly
less correct, than comparisons for utf8mb4_unicode_ci".
;
>
> Once you do that, a SELECT with user_name=? won't match strings with
> trailing spaces.
>
> Hope that helps,
> -chris
>
> > On 27/8/2025 10:12 pm, Dimitris Soumis wrote:
> >> On Wed, Aug 27, 2025 at 2:56 AM Zoran Avtarovski
> >> <zo...@sparecreative.com>
> >> wrote:
> >>
> >>> Hi Guys,
> >>>
> >>> We are seeing a strange issue with user logins. If a user includes
> extra
> >>> spaces in their username the login process is successful, but the
> >>> request username from request.getRemoteUser() still has the extra space
> >>> which is causing issues with our internal processes.
> >>>
> >>> Ideally we'd like to change the setup to fail the login if extra spaces
> >>> are included. I've included our current config, and appreciate any help
> >>> in addressing this.
> >>>
> >>> This is all using Tomcat 9 with Java 11 and I have included our config
> >>> below.
> >>>
> >>> Thanks
> >>>
> >>> Zoran
> >>>
> >>> /META-INF/context.xml
> >>>
> >>> <Resource
> >>> name="jdbc/appDB"
> >>> type="javax.sql.DataSource"
> >>> auth="Container"
> >>> driverClassName="org.mariadb.jdbc.Driver"
> >>>
> >>> url="jdbc:mariadb://localhost:3306/app_db?
> >>>
> useEncoding=true&characterEncoding=UTF-8&zeroDateTimeBehavior=convertToNull"
> >>> username="user"
> >>> password="password"
> >>> maxActive="100"
> >>> maxIdle="30"
> >>> maxWait="10000"
> >>> removeAbandoned="true"
> >>> removeAbandonedTimeout="60"
> >>> logAbandoned="true"
> >>> testOnBorrow="true"
> >>> validationQuery="select count(*) from tableXX"
> >>> />
> >>>
> >>> <Realm className="org.apache.catalina.realm.LockOutRealm">
> >>> <Realm className="org.apache.catalina.realm.DataSourceRealm"
> >>> dataSourceName="jdbc/appDB"
> >>> localDataSource="true"
> >>> roleNameCol="status"
> >>> userCredCol="password"
> >>> userNameCol="user_name"
> >>> userRoleTable="users"
> >>> userTable="users"
> >>> >
> >>> <CredentialHandler
> >>> className="org.apache.catalina.realm.MessageDigestCredentialHandler"
> >>> algorithm="SHA"
> >>> iterations="1"
> >>> saltLength="0"
> >>> />
> >>> </Realm>
> >>> </Realm>
> >>>
> >>> /WEB-INF/web.xml
> >>>
> >>> <security-constraint>
> >>> <display-name>Admin Console</display-name>
> >>> <web-resource-collection>
> >>> <web-resource-name>Restricted Access</web-resource-name>
> >>> <!-- Define the context-relative URL(s) to be protected
> >>> -->
> >>> <description/>
> >>> <url-pattern>/protected/*</url-pattern>
> >>> </web-resource-collection>
> >>> <auth-constraint>
> >>> <!-- Anyone with one of the listed roles may access this
> >>> area -->
> >>> <role-name>1</role-name>
> >>> </auth-constraint>
> >>> </security-constraint>
> >>>
> >>> <login-config>
> >>> <auth-method>FORM</auth-method>
> >>> <realm-name>App</realm-name>
> >>> <form-login-config>
> >>> <form-login-page>/login.jsp</form-login-page>
> >>> <form-error-page>/login-error.jsp</form-error-page>
> >>> </form-login-config>
> >>> </login-config>
> >>>
> >>>
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >>> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>>
> >>>
> >> Hi Zoran,
> >>
> >> The issue arises from the semantics of the MariaDB database and is not a
> >> defect in Tomcat. By default MariaDB uses PAD collations, which means
> >> that
> >> trailing whitespace will be ignored. When the call to
> >> request.getRemoteUser() is being made, the container correctly returns
> >> the
> >> name associated with the current session, which is the username with the
> >> trailing space.
> >>
> >> Possible solutions for this would be:
> >> 1) Changing the default MariaDB Collation to NO PAD or binary. See
> >> Changing
> >> Default Collation
> >> <https://mariadb.com/docs/server/reference/data-types/string-data-
> >> types/character-sets/setting-character-sets-and-collations#changing-
> >> default-collation>
> >> .
> >> 2) On Tomcat's side, implementing a custom Realm extending
> >> DataSourceRealm
> >> and enforcing that username doesn't contain leading or trailing
> >> whitespace.
> >>
> >> Kind regards,
> >> Dimitris Soumis
> >>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
