PQ91656: Using SSOAuthenticator to implement custom login servlet, Custom Registry doesn't receive valid password if it contains umlauts

 A fix is available

PQ91656; 5.0.2.6: Registry does not receive valid password



APAR status
Closed as program error.

Error description
The class SSOAuthenticator (websphere.jar) converts the given
password into a byte[] using the getBytes() method of class
String.  This method uses the system codepage when generating a
byte[].  The system codepage of Windows is CP1252.  The
SSOAuthenticator uses the PrincipalAuthenticator to perform the
login.  The implementation of this class converts the byte[]
back into a String using the StringByteConversion util class
(both classes can be found in the iwsorb.jar library).  The util
class creates the String using UTF-8:  String s = new
String(bytes,"UTF-8"). Thus, the password gets truncated at the
first umlaut:  Example: "testホルレ" becomes  "test"

Since the log file doesn't contain the current codepage and
password I've choosen to decompile some classes to find out
what's going on.  Using a decompiler helps solve this problem. I
thought that the problem of umlauts is caused by different
codepages. I've decompiled and analyzed the SSOAuthenticator and
the classes invoked by the SSOAuthenticator
Local fix
n/a
Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server security        *
*                 users implementing custom login.             *
****************************************************************
* PROBLEM DESCRIPTION: When using SSOAuthenticator to          *
*                      perform custom login, login fails if    *
*                      user's password contains characters     *
*                      different from the plateform's code     *
*                      pages.                                  *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
When using SSOAuthenticator to perform custom login, if the
user's password contains characters which are not in the
plateform's code pages, the fails to authenticate.  The
cause is that the platform's code page is used to convert
the password into bytes.
Problem conclusion
SSOAuthenticator now encodes password strings using UTF8
instead of default encoding.
Temporary fix
Test fix provided.
Comments
APAR information
APAR number PQ91656
Reported component name WAS BASE 5.0
Reported component ID 5630A3600
Reported release 00A
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2004-07-19
Closed date 2004-07-19
Last modified date 2004-07-19

APAR is sysrouted FROM one or more of the following:
PQ89840

APAR is sysrouted TO one or more of the following:

Modules/Macros

Publications Referenced

Fix information
Fixed component name WAS BASE 5.0
Fixed component ID 5630A3600

Applicable component levels
R10A PSY    UP
R10H PSY    UP
R10S PSY    UP
R10W PSY    UP
R00A PSY    UP
R00H PSY    UP
R00W PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 00A
Software edition:
Reference #: PQ91656
IBM Group: Software Group
Modified date: Jul 19, 2004