grails-spring-security-core
grails-spring-security-core copied to clipboard
grails
Special character encoding issues with SingleSignOutFilter
The Grails default UTF-8 characterEncodingFilter no longer encodes special characters correctly in an app with the Spring Security CAS plugin.
I believe this is due to the SingleSignOutFilter's registration order being set to Ordered.HIGHEST_PRECEDENCE and thus being first in the filter chain instead of the encoding filter. Not that this is the solution, but by setting the SingleSignOutFilter's order to Ordered.HIGHEST_PRECEDENCE + 1, and customizing characterEncodingFilter with order Ordered.HIGHEST_PRECEDENCE seems to fix the problem.
This is most easily demonstrated by submitting a post request to a controller with special characters, e.g. ™, ®, etc. in it.
@dpcasady could you submit a sample app so that I can fix it, create a test for it and release a new version?
Here's a sample app: https://github.com/dpcasady/grails-cas-encoding
Run the app and send some post data to it with special characters:
curl -dstring=® http://localhost:8080/application
The ApplicationController will echo the string param. With spring security cas, you'll see:
string: ®
If you disable spring security cas, you'll see string: ®.
This issue breaks UTF-8 completely in Grails 3.3.x.
Workaround: In resources.groovy, reconfigure the registration bean to ensure the SSO filter comes after the characterEncodingFilter.
singleSignOutFilterRegistrationBean(FilterRegistrationBean) {
name = 'CAS Single Sign Out Filter'
filter = ref('singleSignOutFilter')
order = FilterRegistrationBean.REQUEST_WRAPPER_FILTER_MAX_ORDER + 11
}
Ordered.HIGHEST_PRECEDENCE + 1 does not work, since CharacterEncodingFilter has order FilterRegistrationBean.REQUEST_WRAPPER_FILTER_MAX_ORDER + 10 in Grails 3.3.x
I really hope this will be fixed soon. This issue is open since 2017 and nobody took care so far.
Workaround update for grails 5.1.7. This work form me
import org.springframework.boot.web.servlet.FilterRegistrationBean
import org.springframework.boot.web.reactive.filter.OrderedWebFilter
...
singleSignOutFilterRegistrationBean( FilterRegistrationBean ) {
name = 'CAS Single Sign Out Filter'
filter = ref( 'singleSignOutFilter' )
order = OrderedWebFilter.REQUEST_WRAPPER_FILTER_MAX_ORDER + 11
}
A dia de hoy sigue sin arreglarse, la ñ pasa a ser à e igual que las letras acentuadas..
I've checked out the provided sample app grails-cas-encoding and ran it locally. It seems to work totally fine as it is (no need to disable spring security cas):
$ curl -si -dstring=® http://localhost:8080/application
HTTP/1.1 200
X-Application-Context: application:development
Content-Type: text/html;charset=utf-8
Transfer-Encoding: chunked
Date: Mon, 15 Jan 2024 09:56:47 GMT
string: ®
The controller returns a valid UTF-8 response, echoing the ® character. Both payload and headers look good to me.
Maybe your CLI application was not handling the response properly? 🤔
with sample app grails-cas-encoding
curl -si -dstring=® http://localhost:8080/application HTTP/1.1 200 X-Application-Context: application:development Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Date: Mon, 15 Jan 2024 10:34:52 GMT
string: ®
It's the same problem..
@funcoleto I believe the app is returning the correct response, but your command line application is not interpreting UTF-8 correctly.
Could you please run this test locally and tell us the response you get?
curl -s -dstring=`echo 'wq4=' | base64 -d` http://localhost:8080/application | base64
curl -s -dstring=echo 'wq4=' | base64 -d http://localhost:8080/application | base64
c3RyaW5nOiDDgsKuCg==
@funcoleto Thanks for your help!
That's not the same response I get when I run it locally 🤔 Could you tell me which OS / JDK version are you using to run the app?
% grails --version Grails Version: 6.1.1 JVM Version: 11.0.16
% sw_vers ProductName: macOS ProductVersion: 12.3.1 BuildVersion: 21E258
with java 17 is the some problem..