igriffiths / pwm

Automatically exported from code.google.com/p/pwm
0 stars 0 forks source link

code page mismatch between access gateway and pwm breaks basic auth #36

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Configure access gateway to send username / password in Authorization header 
(as per pwm docs)
2. Test using an account with one or more ASCII characters included in either 
the username or password. Attempt to access a pwm servlet that requires logon 
and that is configured as restricted via Access Gateway
3. PWM detects that the username/password supplied in auth header isn't 
correct, prompts user to manually enter username/password.
4. Receive an error with the wording: "user 
CN=Namtest_1,OU=Users,DC=test,DC=domain username mismatch between supplied 
username and username in basic auth header"

What is the expected output?
I would expect that the credential in the Auth header are checked and accepted 
by PWM as valid even when there are non ASCII characters in the DN, or CN form 
of username, or in the password.

What do you see instead?
Instead a user gets asked for their credentials twice (firstly by the access 
gateway, then by pwm before being given the following message: "Authentication 
error, please close your browser "

What version of the product are you using? On what operating system?
v1.5.2, windows 2003, against an AD user store

Please provide any additional information below.

I understand that there is no standard for the encoding of the auth header and 
in practice when using the auth header from browser to server, the encoding 
chosen varies from browser to browser.

However the PWM documentation recommends the use of basic auth / Authorization 
header when PWM is used in combination with an access gateway.

In such a configuration, the code page/encoding of requests from the access 
gateway would always be consistent. So is should be possible to add an option 
to configure PWM to always decode with a specific code page when the 
Authorization header is sent in a request to PWM.

Original issue reported on code.google.com by oner...@gmail.com on 14 Feb 2011 at 10:54

GoogleCodeExporter commented 9 years ago
Will investigate.  In the mean time, form fill auth should be an acceptable 
workaround.

Original comment by jrivard on 14 Feb 2011 at 10:58

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
Small typo in step 2 it should be "non ASCII characters"

I tested with the Norwegian characters: Æ, Ø, Å

Original comment by oner...@gmail.com on 15 Feb 2011 at 11:07

GoogleCodeExporter commented 9 years ago
Changed the default decoding to UTF-8 and made the setting exposed in 
PwmConstants.properties.  In svn revision 462.

Original comment by jrivard on 4 Sep 2012 at 5:35