[ https://issues.apache.org/jira/browse/SHIRO-678?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17058906#comment-17058906 ]
Benjamin Marwell commented on SHIRO-678: ---------------------------------------- {quote}I'm still a little surprised that JAX-RS implementations use `UTF-8` by default (but my googling failed me and I couldn't find it in the spec). {quote} Actually, JSON defaults to UTF-8 (in fact, MUST use UTF-8). In my example on the other hand I am using form data as a content type- which does not default to UTF-8, but rather ISO-8859-1. So actually this shouldn't be a suprise (I think), but can be very confusing. > Strings garbled when POST without JSESSIONID cookie > --------------------------------------------------- > > Key: SHIRO-678 > URL: https://issues.apache.org/jira/browse/SHIRO-678 > Project: Shiro > Issue Type: Bug > Components: jax-rs, Session Management, Web > Affects Versions: 1.4.0 > Environment: OS: Linux (SLES Enterprise 11SP4, Ubuntu 18.04.x), > Windows 10. > ApplicationServers: LibertyProfile 18.0.0.2, 18.0.04, 19.0.01 and OpenLiberty > 19.0.0.1. > Reporter: Benjamin Marwell > Priority: Major > Labels: easyfix > Fix For: 1.6.0 > > > Dear all, > I created a login endpoint using jaxrs-2.1 and a simple form based > authentication. > If I supply a password with German Umlauts (äöü etc.) and do NOT supply any > JSESSIONID (any invalid would do), the received string will be mojibake. > However, if I supply a JSESSIONID (even an invalid JSESSIONID would do), the > received String will be just fine. > h2. Example servlet > Here's an example endpoint: > {code:java} > @Path("/api") > public class JaxRsEndpoint { > @POST > @Path("/login") > @Consumes(MediaType.APPLICATION_FORM_URLENCODED) > @Produces(MediaType.APPLICATION_JSON) > public Response doLogin( > @DefaultValue("") @FormParam("l_username") final String username, // > login username > @DefaultValue("") @FormParam("l_password") final String password // > login password > ) { > Map<String, String> receivedData = new ConcurrentHashMap<>(); > receivedData.put("l_username", username); > receivedData.put("l_password", password); > return Response.ok() > .entity(unmodifiableMap(receivedData)) > .build(); > } > } > {code} > > h2. web.xml > Here's the required web.xml configuration: > {code:xml} > <web-app id="WebApp_ID" > version="3.1" > xmlns="http://xmlns.jcp.org/xml/ns/javaee" > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > > xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee > http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"> > <display-name>jaxrs-multipart-encoding</display-name> > <servlet> > <servlet-name>javax.ws.rs.core.Application</servlet-name> > <load-on-startup>1</load-on-startup> > </servlet> > <servlet-mapping> > <servlet-name>javax.ws.rs.core.Application</servlet-name> > <url-pattern>/*</url-pattern> > </servlet-mapping> > <listener> > > <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class> > </listener> > <filter> > <filter-name>ShiroFilter</filter-name> > > <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class> > </filter> > <filter-mapping> > <filter-name>ShiroFilter</filter-name> > <url-pattern>/*</url-pattern> > <dispatcher>REQUEST</dispatcher> > <dispatcher>FORWARD</dispatcher> > <dispatcher>INCLUDE</dispatcher> > <dispatcher>ERROR</dispatcher> > </filter-mapping> > </web-app> > {code} > > h2. Test 1 (NOT working): > {code:java} > $ curl -i -XPOST --url "http://localhost:9080/formdata/api/login" -d > 'l_username=user&l_password=äöü'; echo "" > HTTP/1.1 200 OK > Content-Type: application/json > Date: Tue, 05 Mar 2019 08:59:32 GMT > Content-Language: en-EN > Content-Length: 49 > {"l_username":"user","l_password":"äöü"} > {code} > h2. Test 2 (working as expected): > {code:java} > $ curl -i -XPOST --cookie 'JSESSIONID=0' --url > "http://localhost:9080/formdata/api/login" -d > 'l_username=user&l_password=äöü'; echo "" > HTTP/1.1 200 OK > Content-Type: application/json > Date: Tue, 05 Mar 2019 08:57:51 GMT > Content-Language: en-EN > Content-Length: 43 > {"l_username":"user","l_password":"äöü"} > {code} > > h2. shiro.ini > {code:java} > shiro.loginUrl = /api/login > shiro.successUrl = /overview > shiro.usernameParam = l_username > shiro.passwordParam = l_password > shiro.rememberMeParam = rememberMe > # Session handling. > sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager > # 3,600,000 milliseconds = 1 hour > # 7200000 = 2h > sessionManager.globalSessionTimeout = 7200000 > # Use the configured native session manager: > securityManager.sessionManager = $sessionManager > # Cache > sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO > securityManager.sessionManager.sessionDAO = $sessionDAO > # URL Configuration > [urls] > /* = anon > {code} > I have looked through the source code but was unable to find a reason why > this may occur. > > This bug does not occur when NOT using Shiro. This means the shiro filter > seems to do some damage, but only when the jsessionid cookie is NOT supplied. > -- This message was sent by Atlassian Jira (v8.3.4#803005)