[jboss-jira] [JBoss JIRA] Updated: (JBAS-5976) Securing web-app cause incorrect character encoding in GET/POST data

Igor A Tarasov (JIRA) jira-events at lists.jboss.org
Wed Sep 24 17:43:25 EDT 2008 

     [ https://jira.jboss.org/jira/browse/JBAS-5976?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Igor A Tarasov updated JBAS-5976:
---------------------------------

    Attachment: test.war


Attached test.war

Test PASS in clean installation of Tomcat 6
Server version: Apache Tomcat/6.0.18
Server built:   Jul 22 2008 02:00:36
Server number:  6.0.18.0

Test FAIL in clean installation of Jboss 5 RC2
Release ID: JBoss [Morpheus] 5.0.0.CR2 (build: SVNTag=JBoss_5_0_0_CR2 date=200809171139)

Configuration requirement:
1) add URIEncofing="UTF-8" to <Connector> element in server.xml 
2) configure security of server for user authentication in role 'test' (this role is described in web.xml of test.war)
  # For Tomcat add this to conf/tomcat-users.xml:
  <role rolename="test"/>
  <user username="test" password="test" roles="test"/>

  # For jboss use server/${name}/conf/roles.properties and users.properties for application-policy "other" in login-config.xml

After authentication Jboss server corrupt posted data by converting non-ascii chars in UTF-8 to ISO-8859-1
Without authentication all work fine. It's impossible to use Jboss with authentication to post <FORM> data in non-ascii.
Tomcat work fine in both case.

You can simply say, that you have no time and are not interested in my report. I'm not interested to convince someone. I just point at a potential problem in your software and give enough detail information about it to make your software release better. You need only some minimal attention to reproduce it. 

Also this test pass in Jetty 6 and Resin 3.x servers.




> Securing web-app cause incorrect character encoding in GET/POST data
> --------------------------------------------------------------------
>
>                 Key: JBAS-5976
>                 URL: https://jira.jboss.org/jira/browse/JBAS-5976
>             Project: JBoss Application Server
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Web (Tomcat) service
>    Affects Versions: JBossAS-5.0.0.CR1, JBossAS-5.0.0.CR2
>         Environment: Fedora Linux 10
> JDK 1.6.0
> Firefox 3.0.1
>            Reporter: Igor A Tarasov
>            Assignee: Remy Maucherat
>            Priority: Critical
>         Attachments: index.jsp, test.war, web.xml
>
>
> Simple test page from Tomcat FAQ (http://wiki.apache.org/tomcat/FAQ/CharacterEncoding#Q4) work right in non-secure web-app.
> After apply BASIC web authentication, character encoding of posted data is broken.
> After authentication, request.setCharactEncoding("UTF-8") in request filter does no effect too.
> No matter which login module in use, org.jboss.security.auth.spi.UsersRolesLoginModule or my own login module.
> Seems that authentication cause access the Request object in app server _before_ it can be accessed in user request filter. 
> After that, setting request.setCharacterEncoding not work.
> Insecure web-application work fine and non-ASCII characters appear correctly.
> This bug starts in CR-releases of JBoss 5.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list