Spring Security
  1. Spring Security
  2. SEC-1463

Users defined in XML can't login when their username contains capital

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 3.0.2
    • Fix Version/s: 3.0.3
    • Component/s: None
    • Labels:
      None

      Description

      The following users (see reference documentation), defined in XML, can login:
      <authentication-manager>
      <authentication-provider>
      <user-service>
      <user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
      <user name="bob" password="bobspassword" authorities="ROLE_USER" />
      </user-service>
      </authentication-provider>
      </authentication-manager>

      When the usernames begin with a capital, those users can't login.
      When submmitting the default form generated by <form-login> you get an error: Your login attempt was not successful, try again. Reason: Bad credentials
      <authentication-manager>
      <authentication-provider>
      <user-service>
      <user name="Jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
      <user name="Bob" password="bobspassword" authorities="ROLE_USER" />
      </user-service>
      </authentication-provider>
      </authentication-manager>

      When you define users in a datbase (via <jdbc-user-serivce>) this problem doesn't occur.

        Issue Links

          Activity

          Hide
          Luke Taylor added a comment -

          Usernames aren't case insensitive. The code that checks this is the same - it only depends on the UserDetailsService, so it is most likely something to do with your database schema setup. If you disagree, please provide evidence that you can load an upper case name from a database and authenticate against it.

          Show
          Luke Taylor added a comment - Usernames aren't case insensitive. The code that checks this is the same - it only depends on the UserDetailsService, so it is most likely something to do with your database schema setup. If you disagree, please provide evidence that you can load an upper case name from a database and authenticate against it.
          Hide
          Hans Desmet added a comment -

          The problem occurs when you define the users in XML, NOT when you define them in a database.

          You can see the problem with following app (STS project in attach)

          web.xml
          ------------
          <?xml version="1.0" encoding="UTF-8"?>
          <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
          <display-name>UserNamesWithUperCaseLetters</display-name>
          <listener>
          <listener-class>
          org.springframework.web.context.ContextLoaderListener
          </listener-class>
          </listener>
          <context-param>
          <param-name>contextConfigLocation</param-name>
          <param-value>
          /WEB-INF/springSecurity.xml
          </param-value>
          </context-param>
          <filter>
          <filter-name>springSecurityFilterChain</filter-name>
          <filter-class>
          org.springframework.web.filter.DelegatingFilterProxy
          </filter-class>
          </filter>
          <filter-mapping>
          <filter-name> springSecurityFilterChain</filter-name>
          <url-pattern>/*</url-pattern>
          </filter-mapping>

          <welcome-file-list>
          <welcome-file>index.html</welcome-file>
          </welcome-file-list>
          </web-app>

          springSecurity.xml
          ---------------------------
          <beans:beans xmlns="http://www.springframework.org/schema/security"
          xmlns:beans="http://www.springframework.org/schema/beans"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://www.springframework.org/schema/beans
          http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
          http://www.springframework.org/schema/security
          http://www.springframework.org/schema/security/spring-security-3.0.xsd">
          <http>
          <form-login/>
          <intercept-url pattern="/index.html"
          access="ROLE_MANAGER" />
          </http>
          <authentication-manager>
          <authentication-provider>
          <user-service>
          <user name="joe" password="joe" authorities="ROLE_MANAGER" />
          <user name="Jack" password="jack" authorities="ROLE_MANAGER" />
          </user-service>
          </authentication-provider>
          </authentication-manager>
          </beans:beans>

          index.html
          ---------------
          <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
          <html>
          <head>
          <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"">
          <title>Welcome</title>
          </head>
          <body>
          <h1>Welcome</h1>
          </body>
          </html>

          When you open the webapp with your browser and you type joe as username and joe as password you see index.html
          When you open the webapp with your browser and you type Jack as username and jack as password you see following error:
          Your login attempt was not successful, try again.
          Reason: Bad credentials

          Show
          Hans Desmet added a comment - The problem occurs when you define the users in XML, NOT when you define them in a database. You can see the problem with following app (STS project in attach) web.xml ------------ <?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd " id="WebApp_ID" version="2.5"> <display-name>UserNamesWithUperCaseLetters</display-name> <listener> <listener-class> org.springframework.web.context.ContextLoaderListener </listener-class> </listener> <context-param> <param-name>contextConfigLocation</param-name> <param-value> /WEB-INF/springSecurity.xml </param-value> </context-param> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class> org.springframework.web.filter.DelegatingFilterProxy </filter-class> </filter> <filter-mapping> <filter-name> springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <welcome-file-list> <welcome-file>index.html</welcome-file> </welcome-file-list> </web-app> springSecurity.xml --------------------------- <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd "> <http> <form-login/> <intercept-url pattern="/index.html" access="ROLE_MANAGER" /> </http> <authentication-manager> <authentication-provider> <user-service> <user name="joe" password="joe" authorities="ROLE_MANAGER" /> <user name="Jack" password="jack" authorities="ROLE_MANAGER" /> </user-service> </authentication-provider> </authentication-manager> </beans:beans> index.html --------------- <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8""> <title>Welcome</title> </head> <body> <h1>Welcome</h1> </body> </html> When you open the webapp with your browser and you type joe as username and joe as password you see index.html When you open the webapp with your browser and you type Jack as username and jack as password you see following error: Your login attempt was not successful, try again. Reason: Bad credentials
          Hide
          Luke Taylor added a comment -

          Ah, Ok. I thought you were saying that the lookup was case-insensitive with the database, but not with the in-memory provider. Looking at the code, it turns out that The in-memory UserDetailsService is supposed to be case insensitive (names are stored in lower case). For some reason This seems to be an issue with 3.0.x branch but not the master branch. The namespace parsing code creates a separate map without lower-case usernames. I will correct this and update the documentation to clarify that the username is case-insensitive for <user-service> users.

          The UserMap class should also be deprecated and the code for the in-memory UserDetailsService simplified.

          Show
          Luke Taylor added a comment - Ah, Ok. I thought you were saying that the lookup was case-insensitive with the database, but not with the in-memory provider. Looking at the code, it turns out that The in-memory UserDetailsService is supposed to be case insensitive (names are stored in lower case). For some reason This seems to be an issue with 3.0.x branch but not the master branch. The namespace parsing code creates a separate map without lower-case usernames. I will correct this and update the documentation to clarify that the username is case-insensitive for <user-service> users. The UserMap class should also be deprecated and the code for the in-memory UserDetailsService simplified.
          Hide
          Wojciech Owczarczyk added a comment -

          I think this problem still persists (tested on Spring Security 3.1.0)

          Show
          Wojciech Owczarczyk added a comment - I think this problem still persists (tested on Spring Security 3.1.0)

            People

            • Assignee:
              Luke Taylor
              Reporter:
              Hans Desmet
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: