[jboss-user] [Security & JAAS/JBoss] - Re: can username be UTF-8

trulore do-not-reply at jboss.com
Tue Aug 1 15:41:20 EDT 2006 

Well, even if I create a JUnit test case...would that really help if you guys don't have the same JBoss configuration as I do on the back-end?  (Unless I zip up my whole WAR and my JBoss config and send that too?)

Here are some more details on the simplest way to reproduce this problem:

1) I've created a simple WAR with a login page and just one JSP page that is protected using J2EE (JEE) declaritive security in web.xml.  Here is the relevant section of my web.xml file:

  | <login-config>
  |    <auth-method>FORM</auth-method>
  |    <realm-name>Example Form-Based Authentication Area</realm-name>
  |       <form-login-config>
  |          <form-login-page>/login.jsp</form-login-page>
  |          <form-error-page>/oops.jsp</form-error-page>
  |       </form-login-config>
  | </login-config>
  | 
  | <security-constraint>
  |    <display-name>Security Constraint for "customers"</display-name>
  |    <web-resource-collection>
  |       <web-resource-name>Protected Area</web-resource-name>
  |       <url-pattern>/pages/*</url-pattern>
  |    </web-resource-collection>
  |    <auth-constraint>
  |       <role-name>customers</role-name>
  |    </auth-constraint>
  |    <user-data-constraint>
  |       <transport-guarantee>NONE</transport-guarantee>
  |    </user-data-constraint>
  | </security-constraint>
  | 
  | <security-role>
  |    <role-name>customers</role-name>
  | </security-role>
  | 


2) My login.jsp page is just a standard j_security_check form with the fields "j_username" and "j_password"

3) I'm using the standard JBoss login-config.xml, which defaults to the application-policy of "other" (since I don't specify one in my WAR), which uses users.properties and roles.properties for usernames and passwords and roles.   I've also reproduced this problem when I try to use a Database or LDAP server for user authentication.  So the authentication mechanism is probably not the issue.  But using properties-based authentication is the easiest way to reproduce this problem.

4) I setup a user with an English name and English password in "users.properties" and "roles.properties".  And I also setup a user with a Russian name and Russian password in the same properties files.  (Russian, or Chineese, or any name and password that requires wide characters)

5) I run my site, and I try to access the protected page.  The login page is displayed.  I can login as the English user, but not the Russian user.

Does this help any?  =)

If you need a JUnit test, I can see what I can come up with for that too.

Thanks!

Robert Pappas


View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3962274#3962274

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3962274

More information about the jboss-user mailing list