JBoss 5 truncates trailing = of a base64 cookie string

Question

After upgrading from JBoss 4 to JBoss 5, I've noticed the most annoying regression. It truncates the trailing equal sign ('=') of a base64 cookie value.

It took me so much time to understand that the problem wasn't my code but JBoss', I googled it and find out it's a known issue .

The suggested work around is to calculate the string length and pad it with trailing equal signs (to a length that is multiplicity of 4).

As our application can run on several application servers (e.g. WebLogic, WebSpehere) I am very reluctant to add this piece of code specific for this version of JBoss.

Did anybody encounter this? Can you suggest a smarter workaround?

edit: thanks to @skaffman I understood my problem, I shouldn't have used base64 for cookie string in the first place. There is a variant on base 64 called base64 url that should be used for such strings (cookies, urls...). The library Apache codec for example supports this variant in its base 64 implementation.

Answer 1

Do you have control over how your cookies are created and encoded/decoded? If so, then you could switch to an alternative encoding mechanism, one which doesn't use characters which may clash with the cookie specification. For example, Apache Commons Codec includes a Hex class which can encode and decode binary data to and from a hex string. It'd be larger than the equivalent data in base64, but that may not matter.

Alternatively, you could play with the Cookie API a bit. The javadoc for Cookie.setValue() says:

With Version 0 cookies, values should not contain white space, brackets, parentheses, equals signs, commas, double quotes, slashes, question marks, at signs, colons, and semicolons. Empty values may not behave the same way on all browsers.

So technically, base64 encoding is not compatible with version 0 cookies, which may be the default. You could try calling setVersion(1) on the cookie, and see if that makes a difference, although then you run the risk of browser compatibility issues.

Answer 2

If I understand the bug report correctly, a correct implementation of the encoder would always produce a string which is a multiple of 4, so if you add the bug fix, it will not trigger in other app servers than JBoss. Your code will thus work on all servers. On a side note, perhaps you could implement it as a servlet filter, which will be minimally intrusive for you app.

Answer 3

for jboss 5 set the below system property:

org.apache.catalina.STRICT_SERVLET_COMPLIANCE=false

--bala