Character encoding problem after migration to CAS 7.0

[Krzysztof Wilkos]

Hi,

Recently we migrated to CAS 7.0 from 6.6. After migration some of users reported problems with authentication. Password change solved issue for most of them but not for all. At the same time user was able to log into non-CAS services with same credentials (ActiveDirectory account).

We discovered that authentication problems are caused by inproper encoding handling when password contains non-latin characters. Non-latin characters in password are valid for on premise Active Directory and CAS 6.6 works fine with such passwords.

After long hours spent on debugging I've found that filter chain has different order in version 7.0 than in 6.6. ClientInfoThreadLocalFilter is executed before CharacterEncodingFilter and that makes embedded tomcat to parse parameters with default encoding which is ISO_8859_1.

Filter order changed after this commit https://github.com/apereo/cas/commit/b63b498d7827fddb2437059798b633335df8ae4a#diff-a6b219e09e7332e11699b887d03ae93365e9a303f9a2c9d8d1e8576a38ce8c7a

I've solved issue by registering CharacterEncodingFilter in my own config in war overlay with HIGHEST_PRECEDENCE.

Regards,

Krzysztof