[jboss-jira] [JBoss JIRA] Commented: (JBAS-6213) Securing web-app REALLY cause incorrect character encoding in GET/POST data

Wed Nov 19 21:24:36 EST 2008

    [ https://jira.jboss.org/jira/browse/JBAS-6213?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12439002#action_12439002 ] 

jimyip commented on JBAS-6213:
------------------------------

Hi Anil,

Actually, I was using valve to find out what was going on. 
However, valve is not a good way to solve this problem. For non-English users, they will face this problem and lose many hairs until they find it out from the web that they have to do an <b>extra configuration</b> to set the encoding in the valve.

Most developers know to set character encoding in FILTER but Jboss structure forces them to use valve to do the same thing. I don't know other JEE app servers how to solve this problem, but to users(developers), valve is absolutely not a good method. Developers will not expect that Jboss has touched the request parameters BEFORE their client codes touches them.

Besides setting "enableAuditFlag" as false by default in audit config (JBAS-6217), I suggest to add parameters in audit config :
1) a 'auditCharacterEncoding' parameter to 'help' users to set encoding so they do not need filter or valve;  OR/AND
2)   a 'enableAuditRequestParameter' ('false' by default ) parameter to let user choose if he wants to log the request parameters info.

Currently, is there any way to add any interceptors / filters (but not valve) before processing Jboss security check?

> Securing web-app REALLY cause incorrect character encoding in GET/POST data
> ---------------------------------------------------------------------------
>
>                 Key: JBAS-6213
>                 URL: https://jira.jboss.org/jira/browse/JBAS-6213
>             Project: JBoss Application Server
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Security, Web (Tomcat) service
>    Affects Versions: JBossAS-5.0.0.CR1, JBossAS-5.0.0.CR2
>         Environment: Fedora 8
> JDK 1.5+
> IE 7/Firefox 3
>            Reporter: jimyip
>            Assignee: Anil Saldhana
>            Priority: Critical
>
> Similar problem found as stated by JBAS-5976.
> I also found the problem as stated by Igor. After several days work, it is the problem of JBoss SX layer which 'touch' ServletRequest.getParameterNames() (From "AbstractJavaEEHelper" and "WebResource.deriveUsefulInfo()") and caused the encoding set according to the OS before any character encoding filter can be applied.
> I use a wrapper Request to show the calling path. Below are the stacktrace:
>         at my.tomcat.hack.RequestHack.getParameterNames(RequestHack.java:420)
>         at org.jboss.security.authorization.resources.WebResource.deriveUsefulInfo(WebResource.java:152)
>         at org.jboss.security.authorization.resources.WebResource.toString(WebResource.java:123)
>         at org.jboss.security.javaee.AbstractJavaEEHelper.authorizationAudit(AbstractJavaEEHelper.java:100)
>         at org.jboss.security.plugins.javaee.WebAuthorizationHelper.hasUserDataPermission(WebAuthorizationHelper.java:183)
>         at org.jboss.web.tomcat.security.JBossWebRealm.hasUserDataPermission(JBossWebRealm.java:636)
>         at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:461)
>         at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:91)
>         at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:92)
>         at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
>         at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>         at my.tomcat.valve.RequestInspectorValve.invoke(RequestInspectorValve.java:90)
>         at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
>         at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>         at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:325)
>         at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:828)
>         at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)
>         at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
>         at java.lang.Thread.run(Thread.java:595)

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira