Uploaded image for project: 'Jira Server and Data Center'
  1. Jira Server and Data Center
  2. JRASERVER-59828

Basic authentication does not support non-ascii characters in usernames or password

    XMLWordPrintable

Details

    • Bug
    • Status: Gathering Impact (View Workflow)
    • Low
    • Resolution: Unresolved
    • 7.9.2
    • None
    • REST API

    Description

      NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report.

      Summary

      When calling the REST API using unencoded basic authentication, a non-ASCII character in the username or password will return an incorrect status - a 401 Unauthorized or a 403 Forbidden respectively.

      This does not impact the rest/auth/1/session endpoint. For more information on how to use this endpoint instead, please Cookie-based Authentication.

      This also does not impact a user's ability to log in - as the browser and form will correctly encode data before sending it back to the server.

      Steps to Reproduce

      1. Create a user with non-ASCII character name like "łukasz" and the password test
      2. Login through the web UI as that user, to verify the credentials are valid.
      3. Do rest call as the user:
        curl -u łukasz:test -I http://localhost:8090/jira/rest/api/2/issue/TEST-2"
        

      The problem can exhibit with a non-ascii character in either the username or the password.

      Expected Results

      With the correct credentials, the issue return a 200 OK response.

      Actual Results

      HTTP/1.1 401 Unauthorized
      Content-Encoding: gzip
      Content-Type: text/html;charset=UTF-8
      Date: Thu, 18 Feb 2016 10:53:23 GMT
      Server: Apache-Coyote/1.1
      Set-Cookie: JSESSIONID=91304E14DAA60D5A14292013A062A13B; Path=/jira/; HttpOnly
      Transfer-Encoding: chunked
      Vary: User-Agent
      WWW-Authenticate: OAuth realm="http%3A%2F%2Flocalhost%3A8090%2Fjira"
      X-AREQUESTID: 1313x7361x1
      X-ASEN: SEN
      X-Content-Type-Options: nosniff
      X-Seraph-LoginReason: AUTHENTICATED_FAILED
      

      Notes

      See ACJIRA-513 description and comments for more details.

      Workaround

      There are a few alternative options workarounds; depending on the exact implementation you're using.

      Option 1 - Remove the non-ascii characters

      If possible, change the non-ascii characters to ascii characters. This may not be desirable (or feasible) in all cases, however.

      Option 2 - Encode the username and password as Base64 before sending

      Use the following command to generate a Base64 encoded string:

      echo -n 'username:password' | openssl base64
      

      Then, supply an Authorization: Basic token header, like so:

      curl -X GET http://localhost:8090/jira/rest/api/2/issue/TEST-2 -H 'Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ='
      

      Option 3 - Use Cookie authentication

      Information

      In some cases, we've seen a Base64 encoded string fail. In our testing, this seems to be caused by an ASCII username, with a non-ascii character in the password. If you're seeing a Base 64 encoded string fail (and you're sure it's correct) then consider using the cookie method of authentication.

      You can use cookie based authentication to authenticate first, and then use the cookie as your authentication mechanism in subsequent requests.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              mpazik Marek Pazik
              Votes:
              14 Vote for this issue
              Watchers:
              19 Start watching this issue

              Dates

                Created:
                Updated: