[seam-issues] [JBoss JIRA] Commented: (JBSEAM-3908) RememberMe on JBoss 5 loses part of the username when formatted as an email address
Wulf Rowek (JIRA)
jira-events at lists.jboss.org
Thu Feb 18 05:48:10 EST 2010
[ https://jira.jboss.org/jira/browse/JBSEAM-3908?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12515177#action_12515177 ]
Wulf Rowek commented on JBSEAM-3908:
------------------------------------
this issue has the same cause like https://jira.jboss.org/jira/browse/JBSEAM-4398:
i found out the org.jboss.seam.faces.Selector, which is used to store the username as an cookie to remember it, uses version 0 (netscape spec) cookies.
version 0 cookies can contain any chars in value w/o quoting it, except ',', ';' and ' '.
in version 1 (RFC 2965 in conjunction with RFC 2616) rejecting more chars (i.e. '@') in an unqouted cookie value.
it seams to be that tomcat recognizes version 0 cookies when sending them in an http response, so it doesn't force quoting the value unless there is one of ',', ';' or ' ' in the value. org.apache.tomcat.util.http.ServerCookie (with on exeption: one can set a system property org.apache.catalina.STRICT_SERVLET_COMPLIANCE = false, in this case a version 0 cookie will be handled as version 1 when processing the value for quoting).
but tomcat parse receibing cookies in request only in a version 1 way (org.apache.tomcat.util.http.Cookies), thus truncating an unqouted string on occurence of a separator char like '@' or '='.
my suggestion is to use version-1-conform cookies in org.jboss.seam.faces.Selector. just setting cookie.setVersion(1); in setCookieValueIfEnabled.
> RememberMe on JBoss 5 loses part of the username when formatted as an email address
> -----------------------------------------------------------------------------------
>
> Key: JBSEAM-3908
> URL: https://jira.jboss.org/jira/browse/JBSEAM-3908
> Project: Seam
> Issue Type: Bug
> Components: Security
> Affects Versions: 2.1.1.CR1, 2.1.1.GA
> Environment: JBoss 5.0.0.GA
> Java 1.6.0_07
> Mac OS X 10.5.6
> Both Firefox 3.0.5 and Safari 3.2.1
> Reporter: Cameron Fieber
> Assignee: Shane Bryzak
>
> This is reproducable with the seam-space sample application:
> # Deploy seam-space on JBoss 5.0.0.GA
> # Sign up for a new account, and for username use an email address (user at host.net)
> # Sign out.
> # Sign in with the username and password with 'Remember Me' checked
> # Sign out. You should notice that the username that is autopopulated is only 'user' not 'user at host.net'
> I've tested it on both 2.1.1.CR1 and 2.1.1.GA.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the seam-issues
mailing list