TL;DR: The REST API requires passwords containing certain characters to be escaped -- however, if a password contains more than one escaped character, the request will be denied.
So I've developed an app that publishes to Tableau Server using the REST API introduced in v9.0 and it's been working great. The problem is that I've started to get reports from a handful of users about problems logging in. Here's what I've found:
- The password (and username) requires XML escaping -- so that passwords containing ' " < > & must have those values replaced by ' " < > & respectively. This isn't mentioned in the REST API documentation, but it makes sense since the login request payload is XML and is easy enough to implement.
- Some other characters require HTML escaping as well -- so far I've only found % which isn't typically a character that requires escaping, but sometimes is. Are there other characters that require escaping? It would be really nice if this were documented since Tableau Server allows users to set the password with very few (if any?) restrictions. That said, it appears that all escaped character strings will be converted to their original values (eg, a password of "a" can successfully be entered instead as "a"), so the brute force solution of simply escaping all characters should (in theory) work -- if not for the next bullet point.
- Passwords containing multiple escaped characters are not interpreted properly by the REST API -- for example, the password "&&" entered as "&&" will be accepted by the api as being valid in terms of the XML structure, but will instead return an error 401001 (Login error), indicating that the password was incorrect. In this example, naturally sending a password value of "&&" returns error 400000 (XML malformed or incomplete). Similarly, "abc" works when submitted as "abc", "abc", "abc", or "abc", but fails (401001) when submitted as "abc", "abc", or any other combination involving more than one escaped character.
Issue #3 is the real problem here (although 1 and 2 could certainly benefit from being documented). Is this a bug in the product? Is there some workaround that I might be able to use to be able to submit login requests for passwords containing multiple special characters?