[jboss-jira] [JBoss JIRA] Commented: (JBAS-5976) Securing web-app cause incorrect character encoding in GET/POST data
jimyip (JIRA)
jira-events at lists.jboss.org
Wed Nov 19 04:55:37 EST 2008
[ https://jira.jboss.org/jira/browse/JBAS-5976?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12438855#action_12438855 ]
jimyip commented on JBAS-5976:
------------------------------
Hi all,
I also found the problem as stated by Igor. After several days work, it is the problem of JBoss SX layer which 'touch' ServletRequest.getParameterNames() (From "AbstractJavaEEHelper" and "WebResource.deriveUsefulInfo()") and caused the encoding set according to the OS before any character encoding filter can be applied.
I use a wrapper Request to show the calling path. Below are the stacktrace:
at my.tomcat.hack.RequestHack.getParameterNames(RequestHack.java:420)
at org.jboss.security.authorization.resources.WebResource.deriveUsefulInfo(WebResource.java:152)
at org.jboss.security.authorization.resources.WebResource.toString(WebResource.java:123)
at org.jboss.security.javaee.AbstractJavaEEHelper.authorizationAudit(AbstractJavaEEHelper.java:100)
at org.jboss.security.plugins.javaee.WebAuthorizationHelper.hasUserDataPermission(WebAuthorizationHelper.java:183)
at org.jboss.web.tomcat.security.JBossWebRealm.hasUserDataPermission(JBossWebRealm.java:636)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:461)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:91)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:92)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:325)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:828)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:595)
I suggest to re-open this issue and it is a very serious bug to non-english users.
Hope this help.
> Securing web-app cause incorrect character encoding in GET/POST data
> --------------------------------------------------------------------
>
> Key: JBAS-5976
> URL: https://jira.jboss.org/jira/browse/JBAS-5976
> Project: JBoss Application Server
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Web (Tomcat) service
> Affects Versions: JBossAS-5.0.0.CR1, JBossAS-5.0.0.CR2
> Environment: Fedora Linux 10
> JDK 1.6.0
> Firefox 3.0.1
> Reporter: Igor A Tarasov
> Assignee: Remy Maucherat
> Priority: Critical
> Attachments: index.jsp, scrshot.gif, test.war, web.xml
>
>
> Simple test page from Tomcat FAQ (http://wiki.apache.org/tomcat/FAQ/CharacterEncoding#Q4) work right in non-secure web-app.
> After apply BASIC web authentication, character encoding of posted data is broken.
> After authentication, request.setCharactEncoding("UTF-8") in request filter does no effect too.
> No matter which login module in use, org.jboss.security.auth.spi.UsersRolesLoginModule or my own login module.
> Seems that authentication cause access the Request object in app server _before_ it can be accessed in user request filter.
> After that, setting request.setCharacterEncoding not work.
> Insecure web-application work fine and non-ASCII characters appear correctly.
> This bug starts in CR-releases of JBoss 5.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list