You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Francois Papon (Jira)" <ji...@apache.org> on 2020/02/17 19:55:00 UTC
[jira] [Updated] (SHIRO-678) Strings garbled when POST without JSESSIONID cookie

     [ https://issues.apache.org/jira/browse/SHIRO-678?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Francois Papon updated SHIRO-678:
---------------------------------
    Fix Version/s:     (was: 1.5.1)
                   1.6.0

> Strings garbled when POST without JSESSIONID cookie
> ---------------------------------------------------
>
>                 Key: SHIRO-678
>                 URL: https://issues.apache.org/jira/browse/SHIRO-678
>             Project: Shiro
>          Issue Type: Bug
>          Components: jax-rs, Session Management, Web
>    Affects Versions: 1.4.0
>         Environment: OS: Linux (SLES Enterprise 11SP4, Ubuntu 18.04.x), Windows 10.
> ApplicationServers: LibertyProfile 18.0.0.2, 18.0.04, 19.0.01 and OpenLiberty 19.0.0.1.
>            Reporter: Benjamin Marwell
>            Priority: Major
>              Labels: easyfix
>             Fix For: 1.6.0
>
>
> Dear all,
> I created a login endpoint using jaxrs-2.1 and a simple form based authentication.
> If I supply a password with German Umlauts (äöü etc.) and do NOT supply any JSESSIONID (any invalid would do), the received string will be mojibake.
> However, if I supply a JSESSIONID (even an invalid JSESSIONID would do), the received String will be just fine.
> h2. Example servlet
> Here's an example endpoint:
> {code:java}
> @Path("/api")
> public class JaxRsEndpoint {
>   @POST
>   @Path("/login")
>   @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
>   @Produces(MediaType.APPLICATION_JSON)
>   public Response doLogin(
>       @DefaultValue("") @FormParam("l_username") final String username, // login username
>       @DefaultValue("") @FormParam("l_password") final String password // login password
>   ) {
>     Map<String, String> receivedData = new ConcurrentHashMap<>();
>     receivedData.put("l_username", username);
>     receivedData.put("l_password", password);
>     return Response.ok()
>         .entity(unmodifiableMap(receivedData))
>         .build();
>   }
> }
> {code}
>  
> h2. web.xml
> Here's the required web.xml configuration:
> {code:xml}
> <web-app id="WebApp_ID"
> 				 version="3.1"
> 				 xmlns="http://xmlns.jcp.org/xml/ns/javaee"
> 				 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> 				 xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
> 	<display-name>jaxrs-multipart-encoding</display-name>
> 	<servlet>
> 		<servlet-name>javax.ws.rs.core.Application</servlet-name>
> 		<load-on-startup>1</load-on-startup>
> 	</servlet>
> 	<servlet-mapping>
> 		<servlet-name>javax.ws.rs.core.Application</servlet-name>
> 		<url-pattern>/*</url-pattern>
> 	</servlet-mapping>
> 	<listener>
> 		<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
> 	</listener>
> 	<filter>
> 		<filter-name>ShiroFilter</filter-name>
> 		<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
> 	</filter>
> 	<filter-mapping>
> 		<filter-name>ShiroFilter</filter-name>
> 		<url-pattern>/*</url-pattern>
> 		<dispatcher>REQUEST</dispatcher>
> 		<dispatcher>FORWARD</dispatcher>
> 		<dispatcher>INCLUDE</dispatcher>
> 		<dispatcher>ERROR</dispatcher>
> 	</filter-mapping>
> </web-app>
> {code}
>  
> h2. Test 1 (NOT working):
> {code:java}
> $ curl -i -XPOST --url "http://localhost:9080/formdata/api/login" -d 'l_username=user&l_password=äöü'; echo ""
> HTTP/1.1 200 OK
> Content-Type: application/json
> Date: Tue, 05 Mar 2019 08:59:32 GMT
> Content-Language: en-EN
> Content-Length: 49
> {"l_username":"user","l_password":"Ã¤Ã¶Ã¼"}
> {code}
> h2. Test 2 (working as expected):
> {code:java}
> $ curl -i -XPOST --cookie 'JSESSIONID=0'  --url "http://localhost:9080/formdata/api/login" -d 'l_username=user&l_password=äöü'; echo "" 
> HTTP/1.1 200 OK
> Content-Type: application/json
> Date: Tue, 05 Mar 2019 08:57:51 GMT
> Content-Language: en-EN
> Content-Length: 43
> {"l_username":"user","l_password":"äöü"}
> {code}
>  
> h2. shiro.ini
> {code:java}
> shiro.loginUrl = /api/login
> shiro.successUrl = /overview
> shiro.usernameParam = l_username
> shiro.passwordParam = l_password
> shiro.rememberMeParam = rememberMe
> # Session handling.
> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
> # 3,600,000 milliseconds = 1 hour
> # 7200000 = 2h
> sessionManager.globalSessionTimeout = 7200000
> # Use the configured native session manager:
> securityManager.sessionManager = $sessionManager
> # Cache
> sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
> securityManager.sessionManager.sessionDAO = $sessionDAO
> # URL Configuration
> [urls]
> /* = anon
> {code}
> I have looked through the source code but was unable to find a reason why this may occur.
>  
> This bug does not occur when NOT using Shiro. This means the shiro filter seems to do some damage, but only when the jsessionid cookie is NOT supplied.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)