You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Francois Papon (Jira)" <ji...@apache.org> on 2020/02/17 19:55:00 UTC
[jira] [Updated] (SHIRO-678) Strings garbled when POST without
JSESSIONID cookie
[ https://issues.apache.org/jira/browse/SHIRO-678?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Francois Papon updated SHIRO-678:
---------------------------------
Fix Version/s: (was: 1.5.1)
1.6.0
> Strings garbled when POST without JSESSIONID cookie
> ---------------------------------------------------
>
> Key: SHIRO-678
> URL: https://issues.apache.org/jira/browse/SHIRO-678
> Project: Shiro
> Issue Type: Bug
> Components: jax-rs, Session Management, Web
> Affects Versions: 1.4.0
> Environment: OS: Linux (SLES Enterprise 11SP4, Ubuntu 18.04.x), Windows 10.
> ApplicationServers: LibertyProfile 18.0.0.2, 18.0.04, 19.0.01 and OpenLiberty 19.0.0.1.
> Reporter: Benjamin Marwell
> Priority: Major
> Labels: easyfix
> Fix For: 1.6.0
>
>
> Dear all,
> I created a login endpoint using jaxrs-2.1 and a simple form based authentication.
> If I supply a password with German Umlauts (äöü etc.) and do NOT supply any JSESSIONID (any invalid would do), the received string will be mojibake.
> However, if I supply a JSESSIONID (even an invalid JSESSIONID would do), the received String will be just fine.
> h2. Example servlet
> Here's an example endpoint:
> {code:java}
> @Path("/api")
> public class JaxRsEndpoint {
> @POST
> @Path("/login")
> @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
> @Produces(MediaType.APPLICATION_JSON)
> public Response doLogin(
> @DefaultValue("") @FormParam("l_username") final String username, // login username
> @DefaultValue("") @FormParam("l_password") final String password // login password
> ) {
> Map<String, String> receivedData = new ConcurrentHashMap<>();
> receivedData.put("l_username", username);
> receivedData.put("l_password", password);
> return Response.ok()
> .entity(unmodifiableMap(receivedData))
> .build();
> }
> }
> {code}
>
> h2. web.xml
> Here's the required web.xml configuration:
> {code:xml}
> <web-app id="WebApp_ID"
> version="3.1"
> xmlns="http://xmlns.jcp.org/xml/ns/javaee"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
> <display-name>jaxrs-multipart-encoding</display-name>
> <servlet>
> <servlet-name>javax.ws.rs.core.Application</servlet-name>
> <load-on-startup>1</load-on-startup>
> </servlet>
> <servlet-mapping>
> <servlet-name>javax.ws.rs.core.Application</servlet-name>
> <url-pattern>/*</url-pattern>
> </servlet-mapping>
> <listener>
> <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
> </listener>
> <filter>
> <filter-name>ShiroFilter</filter-name>
> <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
> </filter>
> <filter-mapping>
> <filter-name>ShiroFilter</filter-name>
> <url-pattern>/*</url-pattern>
> <dispatcher>REQUEST</dispatcher>
> <dispatcher>FORWARD</dispatcher>
> <dispatcher>INCLUDE</dispatcher>
> <dispatcher>ERROR</dispatcher>
> </filter-mapping>
> </web-app>
> {code}
>
> h2. Test 1 (NOT working):
> {code:java}
> $ curl -i -XPOST --url "http://localhost:9080/formdata/api/login" -d 'l_username=user&l_password=äöü'; echo ""
> HTTP/1.1 200 OK
> Content-Type: application/json
> Date: Tue, 05 Mar 2019 08:59:32 GMT
> Content-Language: en-EN
> Content-Length: 49
> {"l_username":"user","l_password":"äöü"}
> {code}
> h2. Test 2 (working as expected):
> {code:java}
> $ curl -i -XPOST --cookie 'JSESSIONID=0' --url "http://localhost:9080/formdata/api/login" -d 'l_username=user&l_password=äöü'; echo ""
> HTTP/1.1 200 OK
> Content-Type: application/json
> Date: Tue, 05 Mar 2019 08:57:51 GMT
> Content-Language: en-EN
> Content-Length: 43
> {"l_username":"user","l_password":"äöü"}
> {code}
>
> h2. shiro.ini
> {code:java}
> shiro.loginUrl = /api/login
> shiro.successUrl = /overview
> shiro.usernameParam = l_username
> shiro.passwordParam = l_password
> shiro.rememberMeParam = rememberMe
> # Session handling.
> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
> # 3,600,000 milliseconds = 1 hour
> # 7200000 = 2h
> sessionManager.globalSessionTimeout = 7200000
> # Use the configured native session manager:
> securityManager.sessionManager = $sessionManager
> # Cache
> sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
> securityManager.sessionManager.sessionDAO = $sessionDAO
> # URL Configuration
> [urls]
> /* = anon
> {code}
> I have looked through the source code but was unable to find a reason why this may occur.
>
> This bug does not occur when NOT using Shiro. This means the shiro filter seems to do some damage, but only when the jsessionid cookie is NOT supplied.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)