Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-678

Strings garbled when POST without JSESSIONID cookie

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Critical
    • Resolution: Unresolved
    • Affects Version/s: 1.4.0
    • Fix Version/s: 1.5.1
    • Component/s: jax-rs, Session Management, Web
    • Labels:
    • Environment:
      OS: Linux (SLES Enterprise 11SP4, Ubuntu 18.04.x), Windows 10.
      ApplicationServers: LibertyProfile 18.0.0.2, 18.0.04, 19.0.01 and OpenLiberty 19.0.0.1.

      Description

      Dear all,

      I created a login endpoint using jaxrs-2.1 and a simple form based authentication.

      If I supply a password with German Umlauts (äöü etc.) and do NOT supply any JSESSIONID (any invalid would do), the received string will be mojibake.

      However, if I supply a JSESSIONID (even an invalid JSESSIONID would do), the received String will be just fine.

      Example servlet

      Here's an example endpoint:

      @Path("/api")
      public class JaxRsEndpoint {
      
        @POST
        @Path("/login")
        @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
        @Produces(MediaType.APPLICATION_JSON)
        public Response doLogin(
            @DefaultValue("") @FormParam("l_username") final String username, // login username
            @DefaultValue("") @FormParam("l_password") final String password // login password
        ) {
          Map<String, String> receivedData = new ConcurrentHashMap<>();
          receivedData.put("l_username", username);
          receivedData.put("l_password", password);
      
          return Response.ok()
              .entity(unmodifiableMap(receivedData))
              .build();
        }
      
      }
      

       

      web.xml

      Here's the required web.xml configuration:

      <web-app id="WebApp_ID"
      				 version="3.1"
      				 xmlns="http://xmlns.jcp.org/xml/ns/javaee"
      				 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      				 xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
      	<display-name>jaxrs-multipart-encoding</display-name>
      	<servlet>
      		<servlet-name>javax.ws.rs.core.Application</servlet-name>
      		<load-on-startup>1</load-on-startup>
      	</servlet>
      	<servlet-mapping>
      		<servlet-name>javax.ws.rs.core.Application</servlet-name>
      		<url-pattern>/*</url-pattern>
      	</servlet-mapping>
      
      	<listener>
      		<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
      	</listener>
      
      	<filter>
      		<filter-name>ShiroFilter</filter-name>
      		<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
      	</filter>
      
      	<filter-mapping>
      		<filter-name>ShiroFilter</filter-name>
      		<url-pattern>/*</url-pattern>
      		<dispatcher>REQUEST</dispatcher>
      		<dispatcher>FORWARD</dispatcher>
      		<dispatcher>INCLUDE</dispatcher>
      		<dispatcher>ERROR</dispatcher>
      	</filter-mapping>
      </web-app>
      

       

      Test 1 (NOT working):

      $ curl -i -XPOST --url "http://localhost:9080/formdata/api/login" -d 'l_username=user&l_password=äöü'; echo ""
      HTTP/1.1 200 OK
      Content-Type: application/json
      Date: Tue, 05 Mar 2019 08:59:32 GMT
      Content-Language: en-EN
      Content-Length: 49
      
      {"l_username":"user","l_password":"äöü"}
      

      Test 2 (working as expected):

      $ curl -i -XPOST --cookie 'JSESSIONID=0'  --url "http://localhost:9080/formdata/api/login" -d 'l_username=user&l_password=äöü'; echo "" 
      HTTP/1.1 200 OK
      Content-Type: application/json
      Date: Tue, 05 Mar 2019 08:57:51 GMT
      Content-Language: en-EN
      Content-Length: 43
      
      {"l_username":"user","l_password":"äöü"}
      

       

      shiro.ini

      shiro.loginUrl = /api/login
      shiro.successUrl = /overview
      shiro.usernameParam = l_username
      shiro.passwordParam = l_password
      shiro.rememberMeParam = rememberMe
      
      
      # Session handling.
      sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
      # 3,600,000 milliseconds = 1 hour
      # 7200000 = 2h
      sessionManager.globalSessionTimeout = 7200000
      
      # Use the configured native session manager:
      securityManager.sessionManager = $sessionManager
      
      # Cache
      sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
      securityManager.sessionManager.sessionDAO = $sessionDAO
      
      # URL Configuration
      [urls]
      /* = anon
      

      I have looked through the source code but was unable to find a reason why this may occur.

       

      This bug does not occur when NOT using Shiro. This means the shiro filter seems to do some damage, but only when the jsessionid cookie is NOT supplied.

       

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              bmarwell Benjamin Marwell
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: