Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
1.4.0, 1.7.1
-
OS: Linux (SLES Enterprise 11SP4, Ubuntu 18.04.x), Windows 10.
ApplicationServers: LibertyProfile 18.0.0.2, 18.0.04, 19.0.01 and OpenLiberty 19.0.0.1.
Description
Dear all,
I created a login endpoint using jaxrs-2.1 and a simple form based authentication.
If I supply a password with German Umlauts (äöü etc.) and do NOT supply any JSESSIONID (any invalid would do), the received string will be mojibake.
However, if I supply a JSESSIONID (even an invalid JSESSIONID would do), the received String will be just fine.
Example servlet
Here's an example endpoint:
@Path("/api") public class JaxRsEndpoint { @POST @Path("/login") @Consumes(MediaType.APPLICATION_FORM_URLENCODED) @Produces(MediaType.APPLICATION_JSON) public Response doLogin( @DefaultValue("") @FormParam("l_username") final String username, // login username @DefaultValue("") @FormParam("l_password") final String password // login password ) { Map<String, String> receivedData = new ConcurrentHashMap<>(); receivedData.put("l_username", username); receivedData.put("l_password", password); return Response.ok() .entity(unmodifiableMap(receivedData)) .build(); } }
web.xml
Here's the required web.xml configuration:
<web-app id="WebApp_ID" version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"> <display-name>jaxrs-multipart-encoding</display-name> <servlet> <servlet-name>javax.ws.rs.core.Application</servlet-name> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>javax.ws.rs.core.Application</servlet-name> <url-pattern>/*</url-pattern> </servlet-mapping> <listener> <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class> </listener> <filter> <filter-name>ShiroFilter</filter-name> <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class> </filter> <filter-mapping> <filter-name>ShiroFilter</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> <dispatcher>INCLUDE</dispatcher> <dispatcher>ERROR</dispatcher> </filter-mapping> </web-app>
Test 1 (NOT working):
$ curl -i -XPOST --url "http://localhost:9080/formdata/api/login" -d 'l_username=user&l_password=äöü'; echo "" HTTP/1.1 200 OK Content-Type: application/json Date: Tue, 05 Mar 2019 08:59:32 GMT Content-Language: en-EN Content-Length: 49 {"l_username":"user","l_password":"äöü"}
Test 2 (working as expected):
$ curl -i -XPOST --cookie 'JSESSIONID=0' --url "http://localhost:9080/formdata/api/login" -d 'l_username=user&l_password=äöü'; echo "" HTTP/1.1 200 OK Content-Type: application/json Date: Tue, 05 Mar 2019 08:57:51 GMT Content-Language: en-EN Content-Length: 43 {"l_username":"user","l_password":"äöü"}
shiro.ini
shiro.loginUrl = /api/login
shiro.successUrl = /overview
shiro.usernameParam = l_username
shiro.passwordParam = l_password
shiro.rememberMeParam = rememberMe
# Session handling.
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
# 3,600,000 milliseconds = 1 hour
# 7200000 = 2h
sessionManager.globalSessionTimeout = 7200000
# Use the configured native session manager:
securityManager.sessionManager = $sessionManager
# Cache
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
securityManager.sessionManager.sessionDAO = $sessionDAO
# URL Configuration
[urls]
/* = anon
I have looked through the source code but was unable to find a reason why this may occur.
This bug does not occur when NOT using Shiro. This means the shiro filter seems to do some damage, but only when the jsessionid cookie is NOT supplied.
