[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-4398) RememberMe Issue - Base 64 encoded cookie containing '=' is not processed correctly in some cases

Miguel Cohnen (JIRA) jira-events at lists.jboss.org
Tue Oct 13 05:26:05 EDT 2009 

    [ https://jira.jboss.org/jira/browse/JBSEAM-4398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12489548#action_12489548 ] 

Miguel Cohnen commented on JBSEAM-4398:
---------------------------------------

<security:jpa-token-store
		token-class="es.cohnen.pistayhora.entity.AuthenticationToken" />

	<security:remember-me mode="autoLogin" />	
	
	<event type="org.jboss.seam.security.notLoggedIn">
		<action execute="#{redirect.captureCurrentView}" />
		<action execute="#{identity.tryLogin()}" />
	</event>

	<event type="org.jboss.seam.security.loginSuccessful">
		<action execute="#{redirect.returnToCapturedView}" />
	</event>

This are the relevant parts of my components.xml.

I don't know if it has something to do, but I', using drool based Authorization.

Thank you!

> RememberMe Issue - Base 64 encoded cookie containing '=' is not processed correctly in some cases
> -------------------------------------------------------------------------------------------------
>
>                 Key: JBSEAM-4398
>                 URL: https://jira.jboss.org/jira/browse/JBSEAM-4398
>             Project: Seam
>          Issue Type: Bug
>    Affects Versions: 2.1.2.GA, 2.2.0.GA
>         Environment: Observed on Windows Vista, JBoss 5.1.0 GA.  Problem likely exists on other operating systems and other Tomcat 6 based systems.
>            Reporter: Peter Goldstein
>
> When attempting to use the RememberMe component in auto-login mode I discovered a bug in the cookie handling of this component.
> When attempting to log using an auth token I was encountering repeated failures - the token was simply not being found in the database. After some investigation I discovered that the problem was that the value parameter passed into the query was truncated by one character - the last character was cut off.
> I tracked the problem further back, and discovered that the truncated value originated in JBoss' Tomcat. The cookie value being passed in was missing the last two '=' characters.
> Some Google searching revealed that this was deliberate - Tomcat 6 in the JBoss 5.1.0 GA configuration enforces strict character rules in the cookie value, which excludes '='.
> I'm not sure if Tomcat 6 is 'right' or not, but I do know that either way, this is a trivial issue to address on the Seam side.
> All one has to do is replace the '=' from the Base64 encoded token value with another allowed character (say '_' or '-') before placing it in a cookie, and reverse the process when reading a cookie.
> I have a patch for this issue on the 2.2.0 GA code.  I simply need to know how to submit it.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the seam-issues mailing list