Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-5188

Doesn't work using non-ASCII chars for username and/or password for BASIC authentication.

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • Major
    • None
    • 7.0.1.CR2
    • Security
    • None
    • Hide
      Target release 7.2. Upstream WFLY-6823. Closing JBEAP issue.
      Show
      Target release 7.2. Upstream WFLY-6823 . Closing JBEAP issue.
    • Hide

      Reproducer:

      add this security domain to configuration and set there right path to usersProperties and rolesProperties (These files are created below)

      <security-domain name="ldap-domain" cache-type="default">
      <authentication>
      <login-module code="UsersRoles" flag="optional">
      <module-option name="usersProperties" value="/path/to/users.properties"/>
      <module-option name="rolesProperties" value="/path/to/roles.properties"/>
      </login-module>
      </authentication>
      </security-domain>

      create new file users.properties:with content:
      #userWithÄÖÜäöüUmlauts=Password1
      userWith\u00c4\u00d6\u00dc\u00e4\u00f6\u00fcUmlauts=Password1
      admin=Password1
      userWithUmlautPass=userWith\u00c4\u00d6\u00dc\u00e4\u00f6\u00fcUmlauts

      create new file roles.properties:with content:
      userWith\u00c4\u00d6\u00dc\u00e4\u00f6\u00fcUmlauts=JBossAdmin
      userWithUmlautPass=JBossAdmin
      admin=JBossAdmin

      Deploy WAR deployment (app.war is attached)

      then you can try log in
      http://localhost:8080/app/protected/SimpleSecuredServlet

      Show
      Reproducer: add this security domain to configuration and set there right path to usersProperties and rolesProperties (These files are created below) <security-domain name="ldap-domain" cache-type="default"> <authentication> <login-module code="UsersRoles" flag="optional"> <module-option name="usersProperties" value="/path/to/users.properties"/> <module-option name="rolesProperties" value="/path/to/roles.properties"/> </login-module> </authentication> </security-domain> create new file users.properties:with content: #userWithÄÖÜäöüUmlauts=Password1 userWith\u00c4\u00d6\u00dc\u00e4\u00f6\u00fcUmlauts=Password1 admin=Password1 userWithUmlautPass=userWith\u00c4\u00d6\u00dc\u00e4\u00f6\u00fcUmlauts create new file roles.properties:with content: userWith\u00c4\u00d6\u00dc\u00e4\u00f6\u00fcUmlauts=JBossAdmin userWithUmlautPass=JBossAdmin admin=JBossAdmin Deploy WAR deployment (app.war is attached) then you can try log in http://localhost:8080/app/protected/SimpleSecuredServlet

    Description

      Doesn't work using non-ASCII chars for username and/or password for BASIC authentication.
      We noticed it when we looked on JIra issue https://issues.jboss.org/browse/JBEAP-3603.
      We JBoss EAP 7 expects encoded UTF-8 strings in code. But we didn't find any information about it in specification.
      It works with Chrome and Opera, but it doesn't work with Firefox.

      Since there is no documentation for this username/password limitation it can affect customers who want to use non-ASCII credentials.

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. WFLY-6823 Doesn't work using non-ASCII chars for username and/or password for BASIC authentication.

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              rhn-support-ivassile Ilia Vassilev
              hsvabek_jira Hynek Švábek (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: