Formbased authentication corrupts post params payara

servlet/security-form-based/src/main/webapp/WEB-INF/web.xml

@@ -54,7 +54,7 @@
     <security-constraint>
         <web-resource-collection>
             <web-resource-name>SecurityConstraint</web-resource-name>
-            <url-pattern>/*</url-pattern>
+            <url-pattern>*.jsp</url-pattern>
         </web-resource-collection>
         <auth-constraint>
             <role-name>g1</role-name>

servlet/security-form-based/src/main/webapp/form.html

@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+	<head>
+		<title>Sample form</title>
+	</head>	
+	<body>
+		<h1>Example</h1>
+		<p>
+		Submit your data, you must see your data after login.</p>
+		<p>This example make a test with a single parameter.
+		If you submit more parameters, only one (the last in the post body) is corrupted</p>
+
+		<p>You must be logged out to test the bug, because the bug is in the authenticator</p>
+
+		<form method="POST" action="receive.jsp" name="form">
+			<input type="text" id="name" name="name" value="example"/>
+			<!--  No name attribute for submit, we want to test only (and only) one parameter -->
+			<input type="submit" value="Submit"/>		
+		</form>	
+	</body>
+</html>

servlet/security-form-based/src/main/webapp/receive.jsp

@@ -0,0 +1,33 @@
+<%@page 
+    contentType="text/html; charset=UTF-8"
+    language="java"
+    pageEncoding="UTF-8"
+    import="java.nio.charset.StandardCharsets"
+%><%
+
+String param = request.getParameter("name");
+if (param == null) {
+	param = "";
+}
+int paramLength = param.length();
+byte[] paramData = param.getBytes(StandardCharsets.UTF_8);
+int paramDataLength = paramData.length;
+%>
+<!DOCTYPE html>
+<html>
+<head>
+<title>Receiving parameters via post</title>
+</head>
+<body>
+
+<p>Here you should see the data you entered in the previous form.</p>
+<p>the bug makes the last parameter to contain a lot of junk (zeros) at the end</p>
+
+
+Hello <span id="param"><%= param %></span><br/>
+paramLegnth <span id="paramLength"><%= paramLength %></span><br/>
+paramDataLength <span id="arrayLength"><%= paramDataLength %></span>
+
+
+</body>
+</html>

servlet/security-form-based/src/test/java/org/javaee7/servlet/security/form/based/FormTest.java

@@ -22,6 +22,7 @@
 import com.gargoylesoftware.htmlunit.html.HtmlPage;
 import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput;
 
+
 /**
  * @author Arun Gupta
  */
@@ -32,8 +33,8 @@ public class FormTest {
 
     @ArquillianResource
     private URL base;
+    private WebClient webClient;
 
-    private HtmlForm loginForm;
 
     @Deployment(testable = false)
     public static WebArchive createDeployment() {
@@ -44,26 +45,27 @@ public static WebArchive createDeployment() {
             .addAsWebResource(new File(WEBAPP_SRC, "index.jsp"))
             .addAsWebResource(new File(WEBAPP_SRC, "loginerror.jsp"))
             .addAsWebResource(new File(WEBAPP_SRC, "loginform.jsp"))
+            .addAsWebResource(new File(WEBAPP_SRC, "form.html"))
+            .addAsWebResource(new File(WEBAPP_SRC, "receive.jsp"))
             .addAsWebInfResource(new File(WEBAPP_SRC + "/WEB-INF", "web.xml"))
             .addAsWebInfResource(new File(WEBAPP_SRC + "/WEB-INF", "glassfish-web.xml"));
     }
 
     @Before
     public void setup() throws IOException {
-        WebClient webClient = new WebClient();
-        HtmlPage page = webClient.getPage(base + "/index.jsp");
-        loginForm = page.getForms().get(0);
+    	webClient = new WebClient();
     }
 
     @After
     public void tearDown() {
-        WebClient webClient = loginForm.getPage().getWebClient();
         webClient.getCookieManager().clearCookies();
         webClient.close();
     }
 
     @Test
     public void testGetWithCorrectCredentials() throws Exception {
+    	HtmlPage loginPage = webClient.getPage(base + "/index.jsp");
+    	HtmlForm loginForm = loginPage.getForms().get(0);
         loginForm.getInputByName("j_username").setValueAttribute("u1");
         loginForm.getInputByName("j_password").setValueAttribute("p1");
         HtmlSubmitInput submitButton = loginForm.getInputByName("submitButton");
@@ -74,11 +76,37 @@ public void testGetWithCorrectCredentials() throws Exception {
 
     @Test
     public void testGetWithIncorrectCredentials() throws Exception {
+    	HtmlPage page = webClient.getPage(base + "/index.jsp");
+    	HtmlForm loginForm = page.getForms().get(0);
         loginForm.getInputByName("j_username").setValueAttribute("random");
         loginForm.getInputByName("j_password").setValueAttribute("random");
         HtmlSubmitInput submitButton = loginForm.getInputByName("submitButton");
         HtmlPage page2 = submitButton.click();
 
         assertEquals("Form-Based Login Error Page", page2.getTitleText());
     }
+    @Test
+    public void testMaintainPostParamsAfterAuth() throws Exception {
+
+        String PARAM_VALUE = "example";
+        String PARAM_LENGTH = Integer.toString(PARAM_VALUE.length());
+
+        // Unauthenticated page
+    	HtmlPage unauthenticatedPage = webClient.getPage(base + "/form.html");
+    	HtmlForm unauthenticatedForm = unauthenticatedPage.getForms().get(0);
+    	unauthenticatedForm.getInputByName("name").setValueAttribute(PARAM_VALUE);
+    	HtmlSubmitInput unauthenticatedSubmitButton = unauthenticatedForm.getInputByValue("Submit");
+
+    	// we request an protected page, so we are presented the login page.    	
+    	HtmlPage loginPage = unauthenticatedSubmitButton.click();
+    	HtmlForm loginForm = loginPage.getForms().get(0);
+        loginForm.getInputByName("j_username").setValueAttribute("u1");
+        loginForm.getInputByName("j_password").setValueAttribute("p1");
+        HtmlSubmitInput submitButton = loginForm.getInputByName("submitButton");
+
+        HtmlPage receivePage = submitButton.click();        
+        assertEquals(PARAM_LENGTH, receivePage.getElementById("paramLength").getTextContent());
+        assertEquals(PARAM_LENGTH, receivePage.getElementById("arrayLength").getTextContent());
+        assertEquals(PARAM_VALUE, receivePage.getElementById("param").getTextContent());
+    }
 }