[
https://jira.jboss.org/jira/browse/JBSEAM-3908?page=com.atlassian.jira.pl...
]
Wulf Rowek commented on JBSEAM-3908:
------------------------------------
this issue has the same cause like
https://jira.jboss.org/jira/browse/JBSEAM-4398:
i found out the org.jboss.seam.faces.Selector, which is used to store the username as an
cookie to remember it, uses version 0 (netscape spec) cookies.
version 0 cookies can contain any chars in value w/o quoting it, except ',',
';' and ' '.
in version 1 (RFC 2965 in conjunction with RFC 2616) rejecting more chars (i.e.
'@') in an unqouted cookie value.
it seams to be that tomcat recognizes version 0 cookies when sending them in an http
response, so it doesn't force quoting the value unless there is one of ',',
';' or ' ' in the value. org.apache.tomcat.util.http.ServerCookie (with on
exeption: one can set a system property org.apache.catalina.STRICT_SERVLET_COMPLIANCE =
false, in this case a version 0 cookie will be handled as version 1 when processing the
value for quoting).
but tomcat parse receibing cookies in request only in a version 1 way
(org.apache.tomcat.util.http.Cookies), thus truncating an unqouted string on occurence of
a separator char like '@' or '='.
my suggestion is to use version-1-conform cookies in org.jboss.seam.faces.Selector. just
setting cookie.setVersion(1); in setCookieValueIfEnabled.
RememberMe on JBoss 5 loses part of the username when formatted as an
email address
-----------------------------------------------------------------------------------
Key: JBSEAM-3908
URL:
https://jira.jboss.org/jira/browse/JBSEAM-3908
Project: Seam
Issue Type: Bug
Components: Security
Affects Versions: 2.1.1.CR1, 2.1.1.GA
Environment: JBoss 5.0.0.GA
Java 1.6.0_07
Mac OS X 10.5.6
Both Firefox 3.0.5 and Safari 3.2.1
Reporter: Cameron Fieber
Assignee: Shane Bryzak
This is reproducable with the seam-space sample application:
# Deploy seam-space on JBoss 5.0.0.GA
# Sign up for a new account, and for username use an email address (user(a)host.net)
# Sign out.
# Sign in with the username and password with 'Remember Me' checked
# Sign out. You should notice that the username that is autopopulated is only
'user' not 'user(a)host.net'
I've tested it on both 2.1.1.CR1 and 2.1.1.GA.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira