Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-59828

Basic authentication does not support non-ascii characters in usernames or password

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Low Low
    • None
    • 7.9.2
    • REST API

      NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report.

      Summary

      When calling the REST API using unencoded basic authentication, a non-ASCII character in the username or password will return an incorrect status - a 401 Unauthorized or a 403 Forbidden respectively.

      This does not impact the rest/auth/1/session endpoint. For more information on how to use this endpoint instead, please Cookie-based Authentication.

      This also does not impact a user's ability to log in - as the browser and form will correctly encode data before sending it back to the server.

      Steps to Reproduce

      1. Create a user with non-ASCII character name like "łukasz" and the password test
      2. Login through the web UI as that user, to verify the credentials are valid.
      3. Do rest call as the user: 
        curl -u łukasz:test -I http://localhost:8090/jira/rest/api/2/issue/TEST-2"

      The problem can exhibit with a non-ascii character in either the username or the password.

      Expected Results

      With the correct credentials, the issue return a 200 OK response.

      Actual Results

      HTTP/1.1 401 Unauthorized
Content-Encoding: gzip
Content-Type: text/html;charset=UTF-8
Date: Thu, 18 Feb 2016 10:53:23 GMT
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=91304E14DAA60D5A14292013A062A13B; Path=/jira/; HttpOnly
Transfer-Encoding: chunked
Vary: User-Agent
WWW-Authenticate: OAuth realm="http%3A%2F%2Flocalhost%3A8090%2Fjira"
X-AREQUESTID: 1313x7361x1
X-ASEN: SEN
X-Content-Type-Options: nosniff
X-Seraph-LoginReason: AUTHENTICATED_FAILED

      Notes

      See ACJIRA-513 description and comments for more details.

      Workaround

      There are a few alternative options workarounds; depending on the exact implementation you're using.

      Option 1 - Remove the non-ascii characters

      If possible, change the non-ascii characters to ascii characters. This may not be desirable (or feasible) in all cases, however.

      Option 2 - Encode the username and password as Base64 before sending

      Use the following command to generate a Base64 encoded string:

      echo -n 'username:password' | openssl base64

      Then, supply an Authorization: Basic token header, like so:

      curl -X GET http://localhost:8090/jira/rest/api/2/issue/TEST-2 -H 'Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ='

      Option 3 - Use Cookie authentication

      Information

      In some cases, we've seen a Base64 encoded string fail. In our testing, this seems to be caused by an ASCII username, with a non-ascii character in the password. If you're seeing a Base 64 encoded string fail (and you're sure it's correct) then consider using the cookie method of authentication.

      You can use cookie based authentication to authenticate first, and then use the cookie as your authentication mechanism in subsequent requests.

              Unassigned Unassigned
              mpazik Marek Pazik (Inactive)
              Votes:
              20 Vote for this issue
              Watchers:
              26 Start watching this issue

                Created:
                Updated: