1 2 Previous Next 15 Replies Latest reply on Oct 21, 2010 3:11 PM by Thamayanthi K

    can username be UTF-8

    Dave Chen Master

      Web application using JBoss and servlets.
      I am using FORM authentication. Can username be UTF-8?
      I create an account, its username is in UTF-8 encoding, chinese characters.
      But login was not successful. Can JBoss built-in authentication handle UTF-8 encoding for username?

      Ascii username works.

      I tried to use a filter to set request encoding to UTF-8, but the filter was not called for URL pattern "j_security_check".

      <filter-mapping>
      <filter-name>filter</filter-name>
      <url-pattern>/j_security_check</url-pattern>
      </filter-mapping>

      Thanks for help.

        • 1. Re: can username be UTF-8
          chris griffith Expert

          javatwo,

          I do not know if JBoss has any limitations of character encoding, but there are a few things about your question that I may be able to help with.

          Note: assuming you are using Tomcat...

          First, if you created a filter with url-pattern = 'j_security_check', it will never be executed. This is because, Tomcat's org.apache.catalina.authenticators.FormAuthenticator in the request pipeline will intercept the request as part of container managed security. If this does not make sense let me know and I will explain further.

          Second, there can be many reasons why login failed. Can you provide some TRACE loggin of org.jboss.security and org.jboss.web.tomcat.security loggers.

          cgriffith

          • 2. Re: can username be UTF-8
            Dave Chen Master

            Thanks for reply, j2ee_junkie.
            Right now I am using a filter to set request encoding to UTF-8 for all requests in order to support chinese characters. It works great except Form login. The username is created in UTF-8 and stored in database.

            The related part in login-config.xml

            <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
            flag="required">

            <module-option name="dsJndiName">java:/DefaultDS</module-option>
            <module-option name="principalsQuery">
            select password from User where username=?
            </module-option>

            So I suspect the FORM login need to go through a filter to set its encoding to UTF-8. Otherwise, the server side would assume iso-8859-1 encoding, and it would find the username in database table. Is there a way to print out the username when tomcat query the databse.

            I looked the logging directory, I could not find logging of the packages you mentioned.

            Thanks for ideas. Have a nice day!

            • 3. Re: can username be UTF-8
              chris griffith Expert

              javatwo,

              As I mentioned below, the filter is useless during FORM login. All that login stuff happens in the container level. Filters are at the web-app/servlet level.

              I am not speaking from experience, but what about the web-app.xml's locale-encoding-mapping-list configuration. In any case, the solution is probably not found in a JBoss configuration. Submitting of form values is servlet container specific.

              cegriff

              • 4. Re: can username be UTF-8
                Dave Chen Master

                 

                "j2ee_junkie" wrote:
                javatwo,

                As I mentioned below, the filter is useless during FORM login. All that login stuff happens in the container level. Filters are at the web-app/servlet level.

                I am not speaking from experience, but what about the web-app.xml's locale-encoding-mapping-list configuration. In any case, the solution is probably not found in a JBoss configuration. Submitting of form values is servlet container specific.

                cegriff


                HI j2ee_junkie,

                Thanks again.
                Where is the web-app.xml? I am using JSF, and have web.xml and faces-config.xml. That might solve the problem if web-app.xml has a place to set encoding.

                Form login will go through web container before going to JAAS. There should be a place to let the web container know the form encoding.

                Regards,

                • 5. Re: can username be UTF-8
                  chris griffith Expert

                  I am sorry for the error. I meant web.xml's web-app element. The schema (found at http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd) has a locale-encoding-mapping element that seems to be what your looking for. However, I have never used this myself. Please keep me posted of it's use.

                  later, cgriffith

                  • 6. Re: can username be UTF-8
                    Dave Chen Master

                    I looked at the document, the locale-encoding-mapping is for response, not for request. So the web container still does not know the request encoding coming from the client machine. One thing I do not understand: the default is iso8859, but I think the default should be UTF-8.

                    Thanks!

                    • 7. Re: can username be UTF-8
                      spetratos Newbie

                      I'm having the same issue. Even thought my login jsp sets the encoding to utf-8, it seems that it is ignored. Therefore, any username with wide characters can't login. The only way I got this working was by adding a URIEncoding=utf-8 to the server.xml for Tomcat, and use a "GET" versus a "POST".

                      When a user with username = "??c" tries to loggin, I see the following in the request (using ieHTTPHeaders) :
                      POST /zpm/j_security_check HTTP/1.1
                      Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel,

                      application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
                      Referer: http://localhost:8080/zpm/pricelab_frameset.jsp
                      Accept-Language: en-us
                      Content-Type: application/x-www-form-urlencoded
                      Accept-Encoding: gzip, deflate
                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FunWebProducts; SV1; .NET CLR 2.0.50727)
                      Host: localhost:8080
                      Content-Length: 44
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Cookie: JSESSIONID=229F4125F6F48356925F7F4BA46DFC0B

                      j_username=%DA%88%D0%B4c&j_password=password

                      You can see that the username is not what was entered.

                      This is using JBOSS 4.0.1 sp1.

                      • 8. Re: can username be UTF-8
                        spetratos Newbie

                        username has characters with codes U+0688, U+0434, U+0063.

                        • 9. Re: can username be UTF-8
                          Casey Helbling Newbie

                          I am seeing the same behaviour as previously described. Text fields in my form-login.jsp posting to j_security_check do not correctly follow encoding type. I am using a ? character or (ALT-0153) in my password and it gets garbled. I have set my web.xml to include the locale-encoding-mapping-list as follows but it doesn't seem to have an effect.

                           <locale-encoding-mapping-list>
                           <locale-encoding-mapping>
                           <locale>en</locale>
                           <encoding>UTF-8</encoding>
                           </locale-encoding-mapping>
                           <locale-encoding-mapping>
                           <locale>en_US</locale>
                           <encoding>UTF-8</encoding>
                           </locale-encoding-mapping>
                           </locale-encoding-mapping-list>
                          

                          Thoughts?

                          • 10. Re: can username be UTF-8
                            Robert Pappas Newbie

                            Has there been any solution to this problem?

                            I have run into as well using JBoss 4.0.3SP1 (and 4.0.4GA).

                            In my Web Applications, I can login with English usernames and passwords just fine.

                            But when I try to login with a Russian or Chineese username, the login always fails.

                            From the tracing I've done, it seems the username is getting converted to ISO-8859-1, and that's why it's failing.

                            I've done all the "standard" things to make our pages UTF-8, and this does work on every page except the login page. Something about "j_security_check" is ignoring UTF-8 and forcing a conversion to "ISO-8859-1".

                            Any thoughts? Pointers?

                            Robert Pappas

                            • 11. Re: can username be UTF-8
                              Anil Saldanha Master

                              http://jira.jboss.com/jira/browse/JBAS-3445

                              Jira issue is to write a test case to test this.

                              Are you able to submit a junit test case (that maybe utilizes apache common httpclient to make calls on your test application). If yes, then you can attach it as a zip in the JIRA issue? That way, we can resolve this issue faster if exists.

                              • 12. Re: can username be UTF-8
                                Robert Pappas Newbie

                                Well, even if I create a JUnit test case...would that really help if you guys don't have the same JBoss configuration as I do on the back-end? (Unless I zip up my whole WAR and my JBoss config and send that too?)

                                Here are some more details on the simplest way to reproduce this problem:

                                1) I've created a simple WAR with a login page and just one JSP page that is protected using J2EE (JEE) declaritive security in web.xml. Here is the relevant section of my web.xml file:

                                <login-config>
                                 <auth-method>FORM</auth-method>
                                 <realm-name>Example Form-Based Authentication Area</realm-name>
                                 <form-login-config>
                                 <form-login-page>/login.jsp</form-login-page>
                                 <form-error-page>/oops.jsp</form-error-page>
                                 </form-login-config>
                                </login-config>
                                
                                <security-constraint>
                                 <display-name>Security Constraint for "customers"</display-name>
                                 <web-resource-collection>
                                 <web-resource-name>Protected Area</web-resource-name>
                                 <url-pattern>/pages/*</url-pattern>
                                 </web-resource-collection>
                                 <auth-constraint>
                                 <role-name>customers</role-name>
                                 </auth-constraint>
                                 <user-data-constraint>
                                 <transport-guarantee>NONE</transport-guarantee>
                                 </user-data-constraint>
                                </security-constraint>
                                
                                <security-role>
                                 <role-name>customers</role-name>
                                </security-role>
                                



                                2) My login.jsp page is just a standard j_security_check form with the fields "j_username" and "j_password"

                                3) I'm using the standard JBoss login-config.xml, which defaults to the application-policy of "other" (since I don't specify one in my WAR), which uses users.properties and roles.properties for usernames and passwords and roles. I've also reproduced this problem when I try to use a Database or LDAP server for user authentication. So the authentication mechanism is probably not the issue. But using properties-based authentication is the easiest way to reproduce this problem.

                                4) I setup a user with an English name and English password in "users.properties" and "roles.properties". And I also setup a user with a Russian name and Russian password in the same properties files. (Russian, or Chineese, or any name and password that requires wide characters)

                                5) I run my site, and I try to access the protected page. The login page is displayed. I can login as the English user, but not the Russian user.

                                Does this help any? =)

                                If you need a JUnit test, I can see what I can come up with for that too.

                                Thanks!

                                Robert Pappas


                                • 13. Re: can username be UTF-8
                                  Haohua xie Newbie

                                  My Solution:
                                  I am a chinese and I am writing a website for chinese. every page in my web site is of utf-8. I use form-based authentication and org.jboss.security.auth.spi.DatabaseServerLoginModule to authenticate my users. When some of my users create their accounts with chinese characters in their login id, they can't login because DatabaseServerLoginModule can't get the correctly-encoded username. So I debug into jboss authentication module. I tried to filter all request to use UTF-8 ,but I failed because authectiation request can't be filtered by the filters defined in /WEB-INF/web.xml. I find that the DatabaseServerLoginModule can't get the encoded username corretly only because the username can't be correctly fechted from request by org.apache.catalina.authenticator.FormAuthenticator. So I need to configure org.apache.catalina.authenticator.FormAuthenticator in order to get utf-8 encoded username.
                                  i find the configuration here:
                                  http://tomcat.apache.org/tomcat-5.5-doc/config/valve.html
                                  I add a context.xml to /WEB-INF/ and deploy to my jboss server. Now the username can be fetched correctly now and my users can use chinese characters in their login id;
                                  my context.xml:





                                  my jboss is 4.20.GA

                                  • 14. Re: can username be UTF-8
                                    Haohua xie Newbie

                                     

                                    <Context>
                                     <Valve
                                     className="org.apache.catalina.authenticator.FormAuthenticator"
                                     characterEncoding="UTF-8" />
                                    </Context>


                                    1 2 Previous Next