PQ89840: Using SSOAuthenticator to implement custom login servlet, Custom Registry doesn't receive valid password if it contains umlauts

 Fixes are available

5.1.1.1: WebSphere Application Server Express 5.1.1 Cumulative Fix 1
5.0.2.7: WebSphere Application Server Express 5.0.2 Cumulative Fix 7
5.0.2.12: WebSphere Application Server 5.0.2 Cumulative Fix 12
5.1.1.6: WebSphere Application Server Version 5.1.1 Cumulative Fix 6
5.0.2.13: WebSphere Application Server 5.0.2 Cumulative Fix 13
5.1.1.7: WebSphere Application Server Version 5.1.1 Cumulative Fix 7
5.0.2.14: WebSphere Application Server 5.0.2 Cumulative Fix 14 for AIX
5.0.2.14: WebSphere Application Server 5.0.2 Cumulative Fix 14 for Solaris
5.0.2.14: WebSphere Application Server 5.0.2 Cumulative Fix 14 for HP-UX
5.0.2.14: WebSphere Application Server 5.0.2 Cumulative Fix 14 for Windows
5.0.2.14: WebSphere Application Server 5.0.2 Cumulative Fix 14 for Linux
5.1.1.8: WebSphere Application Server 5.1.1 Cumulative Fix 8 for AIX
5.1.1.8: WebSphere Application Server 5.1.1 Cumulative Fix 8 for Windows
5.1.1.8: WebSphere Application Server 5.1.1 Cumulative Fix 8 for Solaris
5.1.1.8: WebSphere Application Server 5.1.1 Cumulative Fix 8 for HP-UX
5.1.1.8: WebSphere Application Server 5.1.1 Cumulative Fix 8 for Linux
5.0.2.15: WebSphere Application Server 5.0.2 Cumulative Fix 15 for Windows
5.0.2.15: WebSphere Application Server 5.0.2 Cumulative Fix 15 for Solaris
5.0.2.15: WebSphere Application Server 5.0.2 Cumulative Fix 15 for AIX
5.0.2.15: WebSphere Application Server 5.0.2 Cumulative Fix 15 for Linux
5.0.2.15: WebSphere Application Server 5.0.2 Cumulative Fix 15 for HP-UX
5.1.1.9: WebSphere Application Server V5.1.1 Cumulative Fix 9 for HP-UX
5.1.1.9: WebSphere Application Server V5.1.1 Cumulative Fix 9 for AIX
5.1.1.9: WebSphere Application Server V5.1.1 Cumulative Fix 9 for Solaris
5.1.1.9: WebSphere Application Server V5.1.1 Cumulative Fix 9 for Windows
5.1.1.9: WebSphere Application Server V5.1.1 Cumulative Fix 9 for Linux
5.0.2.16: WebSphere Application Server 5.0.2 Cumulative Fix 16 for AIX
5.0.2.16: WebSphere Application Server 5.0.2 Cumulative Fix 16 for HP-UX
5.0.2.16: WebSphere Application Server 5.0.2 Cumulative Fix 16 for Linux
5.0.2.16: WebSphere Application Server 5.0.2 Cumulative Fix 16 for Windows
5.0.2.16: WebSphere Application Server 5.0.2 Cumulative Fix 16 for Solaris
5.0.2.8: WebSphere Application Server V5.0.2 Cumulative Fix 8
5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for HP-UX
5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for AIX
5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for Solaris
5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for Windows
5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for Linux
5.0.2.17: WebSphere Application Server 5.0.2 Cumulative Fix 17 for Windows
5.0.2.17: WebSphere Application Server 5.0.2 Cumulative Fix 17 for Solaris
5.0.2.17: WebSphere Application Server 5.0.2 Cumulative Fix 17 for HP-UX
5.0.2.17: WebSphere Application Server 5.0.2 Cumulative Fix 17 for Linux
5.0.2.17: WebSphere Application Server 5.0.2 Cumulative Fix 17 for AIX



APAR status
Closed as program error.

Error description
The class SSOAuthenticator (websphere.jar) converts the given
password into a byte[] using the getBytes() method of class
String.  This method uses the system codepage when generating a
byte[].  The system codepage of Windows is CP1252.  The
SSOAuthenticator uses the PrincipalAuthenticator to perform the
login.  The implementation of this class converts the byte[]
back into a String using the StringByteConversion util class
(both classes can be found in the iwsorb.jar library).  The util
class creates the String using UTF-8:  String s = new
String(bytes,"UTF-8"). Thus, the password gets truncated at the
first umlaut:  Example: "test   " becomes  "test"

Since the log file doesn't contain the current codepage and
password I've choosen to decompile some classes to find out
what's going on.  Using a decompiler helps solve this problem. I
thought that the problem of umlauts is caused by different
codepages. I've decompiled and analyzed the SSOAuthenticator and
the classes invoked by the SSOAuthenticator
Local fix
n/a
Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server security        *
*                 users implementing custom login.             *
****************************************************************
* PROBLEM DESCRIPTION: When using SSOAuthenticator to          *
*                      perform custom login, login fails if    *
*                      user's password contains characters     *
*                      different from the plateform's code     *
*                      pages.                                  *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
When using SSOAuthenticator to perform custom login, if the
user's password contains characters which are not in the
plateform's code pages, the fails to authenticate.  The
cause is that the platform's code page is used to convert
the password into bytes.
Problem conclusion
SSOAuthenticator now encodes password strings using UTF8
instead of default encoding.
Temporary fix
Test fix provided.
Comments
APAR information
APAR number PQ89840
Reported component name WEBSPHERE AE NT
Reported component ID 5630A2201
Reported release 400
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2004-06-08
Closed date 2004-06-30
Last modified date 2004-06-30

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:
PQ91656

Modules/Macros

SRLS

Fix information

Applicable component levels
R400 PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ89840
IBM Group: Software Group
Modified date: Jun 30, 2004