[jira] [Commented] (SHIRO-678) Strings garbled when POST without JSESSIONID cookie

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (SHIRO-678) Strings garbled when POST without JSESSIONID cookie

Francois Papon (Jira)

    [ https://issues.apache.org/jira/browse/SHIRO-678?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17020270#comment-17020270 ]

Benjamin Marwell commented on SHIRO-678:
----------------------------------------

I am not very good at tomcat, but I could possibly set up an integration test using the maven-invoker-plugin and OpenLiberty.

> Strings garbled when POST without JSESSIONID cookie
> ---------------------------------------------------
>
>                 Key: SHIRO-678
>                 URL: https://issues.apache.org/jira/browse/SHIRO-678
>             Project: Shiro
>          Issue Type: Bug
>          Components: jax-rs, Session Management, Web
>    Affects Versions: 1.4.0
>         Environment: OS: Linux (SLES Enterprise 11SP4, Ubuntu 18.04.x), Windows 10.
> ApplicationServers: LibertyProfile 18.0.0.2, 18.0.04, 19.0.01 and OpenLiberty 19.0.0.1.
>            Reporter: Benjamin Marwell
>            Priority: Critical
>              Labels: easyfix
>             Fix For: 1.5.1
>
>
> Dear all,
> I created a login endpoint using jaxrs-2.1 and a simple form based authentication.
> If I supply a password with German Umlauts (äöü etc.) and do NOT supply any JSESSIONID (any invalid would do), the received string will be mojibake.
> However, if I supply a JSESSIONID (even an invalid JSESSIONID would do), the received String will be just fine.
> h2. Example servlet
> Here's an example endpoint:
> {code:java}
> @Path("/api")
> public class JaxRsEndpoint {
>   @POST
>   @Path("/login")
>   @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
>   @Produces(MediaType.APPLICATION_JSON)
>   public Response doLogin(
>       @DefaultValue("") @FormParam("l_username") final String username, // login username
>       @DefaultValue("") @FormParam("l_password") final String password // login password
>   ) {
>     Map<String, String> receivedData = new ConcurrentHashMap<>();
>     receivedData.put("l_username", username);
>     receivedData.put("l_password", password);
>     return Response.ok()
>         .entity(unmodifiableMap(receivedData))
>         .build();
>   }
> }
> {code}
>  
> h2. web.xml
> Here's the required web.xml configuration:
> {code:xml}
> <web-app id="WebApp_ID"
> version="3.1"
> xmlns="http://xmlns.jcp.org/xml/ns/javaee"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
> <display-name>jaxrs-multipart-encoding</display-name>
> <servlet>
> <servlet-name>javax.ws.rs.core.Application</servlet-name>
> <load-on-startup>1</load-on-startup>
> </servlet>
> <servlet-mapping>
> <servlet-name>javax.ws.rs.core.Application</servlet-name>
> <url-pattern>/*</url-pattern>
> </servlet-mapping>
> <listener>
> <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
> </listener>
> <filter>
> <filter-name>ShiroFilter</filter-name>
> <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
> </filter>
> <filter-mapping>
> <filter-name>ShiroFilter</filter-name>
> <url-pattern>/*</url-pattern>
> <dispatcher>REQUEST</dispatcher>
> <dispatcher>FORWARD</dispatcher>
> <dispatcher>INCLUDE</dispatcher>
> <dispatcher>ERROR</dispatcher>
> </filter-mapping>
> </web-app>
> {code}
>  
> h2. Test 1 (NOT working):
> {code:java}
> $ curl -i -XPOST --url "http://localhost:9080/formdata/api/login" -d 'l_username=user&l_password=äöü'; echo ""
> HTTP/1.1 200 OK
> Content-Type: application/json
> Date: Tue, 05 Mar 2019 08:59:32 GMT
> Content-Language: en-EN
> Content-Length: 49
> {"l_username":"user","l_password":"äöü"}
> {code}
> h2. Test 2 (working as expected):
> {code:java}
> $ curl -i -XPOST --cookie 'JSESSIONID=0'  --url "http://localhost:9080/formdata/api/login" -d 'l_username=user&l_password=äöü'; echo ""
> HTTP/1.1 200 OK
> Content-Type: application/json
> Date: Tue, 05 Mar 2019 08:57:51 GMT
> Content-Language: en-EN
> Content-Length: 43
> {"l_username":"user","l_password":"äöü"}
> {code}
>  
> h2. shiro.ini
> {code:java}
> shiro.loginUrl = /api/login
> shiro.successUrl = /overview
> shiro.usernameParam = l_username
> shiro.passwordParam = l_password
> shiro.rememberMeParam = rememberMe
> # Session handling.
> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
> # 3,600,000 milliseconds = 1 hour
> # 7200000 = 2h
> sessionManager.globalSessionTimeout = 7200000
> # Use the configured native session manager:
> securityManager.sessionManager = $sessionManager
> # Cache
> sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
> securityManager.sessionManager.sessionDAO = $sessionDAO
> # URL Configuration
> [urls]
> /* = anon
> {code}
> I have looked through the source code but was unable to find a reason why this may occur.
>  
> This bug does not occur when NOT using Shiro. This means the shiro filter seems to do some damage, but only when the jsessionid cookie is NOT supplied.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)