Bug 66174 - Pound sign £ in passwords does not work with LDAP realm
Summary: Pound sign £ in passwords does not work with LDAP realm
Status: RESOLVED INVALID
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: Catalina (show other bugs)
Version: unspecified
Hardware: All All
: P2 normal (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-07-21 14:14 UTC by Mark Klinchin
Modified: 2022-08-22 20:16 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Klinchin 2022-07-21 14:14:27 UTC
There is the old post in the mailing lists about this problem but the issue is still confirmed.

https://www.mail-archive.com/users@tomcat.apache.org/msg07977.html

When a user in LDAP realm (MS Active Directory in my case and openldap in the case described in the mailing archive) has the pound sign in the password, the basic authentication does not work. Removing the pound sign from the password resolves the issue.
Comment 1 Christopher Schultz 2022-07-21 17:02:12 UTC
Can you confirm that you can successfully authenticate with OpenLDAP using some other utility e.g. ldapsearch? I'm wondering if this is a Tomcat issue or an OpenLDAP issue.

If you enable logging (hmm not sure if we log the password at TRACE level), can you confirm that Tomcat has the password without being garbled by the browser/web server/request encoding in some way?
Comment 2 Konstantin Kolinko 2022-07-21 17:36:39 UTC
You need to provide configuration and steps to reproduce this issue, and exact version number of Tomcat where this issue is observed.

Overall, this sounds like either a configuration issue, and configuration issues are to be discussed on the Tomcat Users' mailing list, not here.



Note that the BASIC authentication is limited to ISO-8859-1 charset by default.

Testing with Apache Tomcat 9.0.65, I can successfully log in into the manager web application using the pound character as a password, if I reconfigure the BasicAuthenticator in that web application to use UTF-8.

It can be done by inserting the following line

  <Valve className="org.apache.catalina.authenticator.BasicAuthenticator" charset="UTF-8" />

into the webapps/manager/META-INF/context.xml file.

For reference, see
https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Basic_Authenticator_Valve

I wonder whether better documentation may be needed somewhere.
Comment 3 Christopher Schultz 2022-07-25 15:25:13 UTC
(In reply to Konstantin Kolinko from comment #2)
>   <Valve className="org.apache.catalina.authenticator.BasicAuthenticator"
> charset="UTF-8" />
> 
> [...]
> 
> I wonder whether better documentation may be needed somewhere.

I think this should be added to the FAQ "How do I just use UTF-8 everywhere" because I'm sure it's not in there, and it's an important edge-case.
Comment 4 Mark Thomas 2022-08-22 20:16:46 UTC
Tested with Windows Server 2019 based domain. BASIC auth works for user with password that includes '£'.

The users mailing list is the place to seek further help if required.