[jira] [Commented] (SHIRO-678) Strings garbled when POST without JSESSIONID cookie

[Benjamin Marwell (Jira)]

    [ 
https://issues.apache.org/jira/browse/SHIRO-678?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17058906#comment-17058906
 ] 

Benjamin Marwell commented on SHIRO-678:
----------------------------------------

{quote}I'm still a little surprised that JAX-RS implementations use `UTF-8` by 
default (but my googling failed me and I couldn't find it in the spec).
{quote}
Actually, JSON defaults to UTF-8 (in fact, MUST use UTF-8). In my example on 
the other hand I am using form data as a content type- which does not default 
to UTF-8, but rather ISO-8859-1. So actually this shouldn't be a suprise (I 
think), but can be very confusing.

> Strings garbled when POST without JSESSIONID cookie
> ---------------------------------------------------
>
>                 Key: SHIRO-678
>                 URL: https://issues.apache.org/jira/browse/SHIRO-678
>             Project: Shiro
>          Issue Type: Bug
>          Components: jax-rs, Session Management, Web
>    Affects Versions: 1.4.0
>         Environment: OS: Linux (SLES Enterprise 11SP4, Ubuntu 18.04.x), 
> Windows 10.
> ApplicationServers: LibertyProfile 18.0.0.2, 18.0.04, 19.0.01 and OpenLiberty 
> 19.0.0.1.
>            Reporter: Benjamin Marwell
>            Priority: Major
>              Labels: easyfix
>             Fix For: 1.6.0
>
>
> Dear all,
> I created a login endpoint using jaxrs-2.1 and a simple form based 
> authentication.
> If I supply a password with German Umlauts (äöü etc.) and do NOT supply any 
> JSESSIONID (any invalid would do), the received string will be mojibake.
> However, if I supply a JSESSIONID (even an invalid JSESSIONID would do), the 
> received String will be just fine.
> h2. Example servlet
> Here's an example endpoint:
> {code:java}
> @Path("/api")
> public class JaxRsEndpoint {
>   @POST
>   @Path("/login")
>   @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
>   @Produces(MediaType.APPLICATION_JSON)
>   public Response doLogin(
>       @DefaultValue("") @FormParam("l_username") final String username, // 
> login username
>       @DefaultValue("") @FormParam("l_password") final String password // 
> login password
>   ) {
>     Map<String, String> receivedData = new ConcurrentHashMap<>();
>     receivedData.put("l_username", username);
>     receivedData.put("l_password", password);
>     return Response.ok()
>         .entity(unmodifiableMap(receivedData))
>         .build();
>   }
> }
> {code}
>  
> h2. web.xml
> Here's the required web.xml configuration:
> {code:xml}
> <web-app id="WebApp_ID"
>                                version="3.1"
>                                xmlns="http://xmlns.jcp.org/xml/ns/javaee";
>                                
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>                                
> xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee 
> http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd";>
>       <display-name>jaxrs-multipart-encoding</display-name>
>       <servlet>
>               <servlet-name>javax.ws.rs.core.Application</servlet-name>
>               <load-on-startup>1</load-on-startup>
>       </servlet>
>       <servlet-mapping>
>               <servlet-name>javax.ws.rs.core.Application</servlet-name>
>               <url-pattern>/*</url-pattern>
>       </servlet-mapping>
>       <listener>
>               
> <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
>       </listener>
>       <filter>
>               <filter-name>ShiroFilter</filter-name>
>               
> <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
>       </filter>
>       <filter-mapping>
>               <filter-name>ShiroFilter</filter-name>
>               <url-pattern>/*</url-pattern>
>               <dispatcher>REQUEST</dispatcher>
>               <dispatcher>FORWARD</dispatcher>
>               <dispatcher>INCLUDE</dispatcher>
>               <dispatcher>ERROR</dispatcher>
>       </filter-mapping>
> </web-app>
> {code}
>  
> h2. Test 1 (NOT working):
> {code:java}
> $ curl -i -XPOST --url "http://localhost:9080/formdata/api/login"; -d 
> 'l_username=user&l_password=äöü'; echo ""
> HTTP/1.1 200 OK
> Content-Type: application/json
> Date: Tue, 05 Mar 2019 08:59:32 GMT
> Content-Language: en-EN
> Content-Length: 49
> {"l_username":"user","l_password":"äöü"}
> {code}
> h2. Test 2 (working as expected):
> {code:java}
> $ curl -i -XPOST --cookie 'JSESSIONID=0'  --url 
> "http://localhost:9080/formdata/api/login"; -d 
> 'l_username=user&l_password=äöü'; echo "" 
> HTTP/1.1 200 OK
> Content-Type: application/json
> Date: Tue, 05 Mar 2019 08:57:51 GMT
> Content-Language: en-EN
> Content-Length: 43
> {"l_username":"user","l_password":"äöü"}
> {code}
>  
> h2. shiro.ini
> {code:java}
> shiro.loginUrl = /api/login
> shiro.successUrl = /overview
> shiro.usernameParam = l_username
> shiro.passwordParam = l_password
> shiro.rememberMeParam = rememberMe
> # Session handling.
> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
> # 3,600,000 milliseconds = 1 hour
> # 7200000 = 2h
> sessionManager.globalSessionTimeout = 7200000
> # Use the configured native session manager:
> securityManager.sessionManager = $sessionManager
> # Cache
> sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
> securityManager.sessionManager.sessionDAO = $sessionDAO
> # URL Configuration
> [urls]
> /* = anon
> {code}
> I have looked through the source code but was unable to find a reason why 
> this may occur.
>  
> This bug does not occur when NOT using Shiro. This means the shiro filter 
> seems to do some damage, but only when the jsessionid cookie is NOT supplied.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)