Users with umlauts in their passwords cannot authenticate against the APS REST API in browsers like Firefox, Internet Explorer or Safari.
Steps to reproduce
1. Via Identity Management->Users create a new user "firstname.lastname@example.org" with password "Passwörd"
2. Via Identity Management->Capabilities give the new user the "REST access" and "tenant admin" capability
3. In a problematic browser (e.g. Firefox), call the API URL http://localhost:9999/activiti-app/api/enterprise/admin/tenants which should list the tenants for this APS environment
4. Authenticate as the user created in step 1
Authentication will not work and the response seen in network console is a 401 with message "Bad credentials"
Authentication will work fine
- Reproduced in latest APS 126.96.36.199 environment
- Reproduced also with api-explorer in Firefox using umlaut password
- Customer analyzed the root cause:
"The BasicAuthenticationFilter of Spring security uses utf-8 to decode user passwords, but several browsers (all, except Google Chrome) seem to use iso-8859-1 to encode the password for basic authentication, which breaks authentication for umlauts (and many more special characters) in passwords.
This is described here: https://github.com/spring-projects/spring-security/issues/2969
A workaround for this used by the customer: https://github.com/spring-projects/spring-security/pull/3966#issuecomment-242123838"