[jboss-user] [Security & JAAS/JBoss] - Re: can username be UTF-8
trulore
do-not-reply at jboss.com
Tue Aug 1 15:41:20 EDT 2006
Well, even if I create a JUnit test case...would that really help if you guys don't have the same JBoss configuration as I do on the back-end? (Unless I zip up my whole WAR and my JBoss config and send that too?)
Here are some more details on the simplest way to reproduce this problem:
1) I've created a simple WAR with a login page and just one JSP page that is protected using J2EE (JEE) declaritive security in web.xml. Here is the relevant section of my web.xml file:
| <login-config>
| <auth-method>FORM</auth-method>
| <realm-name>Example Form-Based Authentication Area</realm-name>
| <form-login-config>
| <form-login-page>/login.jsp</form-login-page>
| <form-error-page>/oops.jsp</form-error-page>
| </form-login-config>
| </login-config>
|
| <security-constraint>
| <display-name>Security Constraint for "customers"</display-name>
| <web-resource-collection>
| <web-resource-name>Protected Area</web-resource-name>
| <url-pattern>/pages/*</url-pattern>
| </web-resource-collection>
| <auth-constraint>
| <role-name>customers</role-name>
| </auth-constraint>
| <user-data-constraint>
| <transport-guarantee>NONE</transport-guarantee>
| </user-data-constraint>
| </security-constraint>
|
| <security-role>
| <role-name>customers</role-name>
| </security-role>
|
2) My login.jsp page is just a standard j_security_check form with the fields "j_username" and "j_password"
3) I'm using the standard JBoss login-config.xml, which defaults to the application-policy of "other" (since I don't specify one in my WAR), which uses users.properties and roles.properties for usernames and passwords and roles. I've also reproduced this problem when I try to use a Database or LDAP server for user authentication. So the authentication mechanism is probably not the issue. But using properties-based authentication is the easiest way to reproduce this problem.
4) I setup a user with an English name and English password in "users.properties" and "roles.properties". And I also setup a user with a Russian name and Russian password in the same properties files. (Russian, or Chineese, or any name and password that requires wide characters)
5) I run my site, and I try to access the protected page. The login page is displayed. I can login as the English user, but not the Russian user.
Does this help any? =)
If you need a JUnit test, I can see what I can come up with for that too.
Thanks!
Robert Pappas
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3962274#3962274
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3962274
More information about the jboss-user
mailing list