6 Replies Latest reply on Jan 22, 2018 12:23 PM by Plamen Arnaudov

    Tableau Server REST API login problems --- escaping passwords with special characters

    Mac Roach

      TL;DR: The REST API requires passwords containing certain characters to be escaped -- however, if a password contains more than one escaped character, the request will be denied.

       

      Details

       

      So I've developed an app that publishes to Tableau Server using the REST API introduced in v9.0 and it's been working great. The problem is that I've started to get reports from a handful of users about problems logging in. Here's what I've found:

      1. The password (and username) requires XML escaping -- so that passwords containing ' " < > & must have those values replaced by &apos; &quot; &lt; &gt; &amp; respectively. This isn't mentioned in the REST API documentation, but it makes sense since the login request payload is XML and is easy enough to implement.
      2. Some other characters require HTML escaping as well -- so far I've only found % which isn't typically a character that requires escaping, but sometimes is. Are there other characters that require escaping? It would be really nice if this were documented since Tableau Server allows users to set the password with very few (if any?) restrictions. That said, it appears that all escaped character strings will be converted to their original values (eg, a password of "a" can successfully be entered instead as "&#97;"), so the brute force solution of simply escaping all characters should (in theory) work -- if not for the next bullet point.
      3. Passwords containing multiple escaped characters are not interpreted properly by the REST API -- for example, the password "&&" entered as "&amp;&amp;" will be accepted by the api as being valid in terms of the XML structure, but will instead return an error 401001 (Login error), indicating that the password was incorrect. In this example, naturally sending a password value of "&&" returns error 400000 (XML malformed or incomplete). Similarly, "abc" works when submitted as "abc", "&#97;bc", "a&#98;c", or "ab&#99;", but fails (401001) when submitted as "&#97;&#98;&#99;", "&#97;&#98;c", or any other combination involving more than one escaped character.

       

      Issue #3 is the real problem here (although 1 and 2 could certainly benefit from being documented). Is this a bug in the product? Is there some workaround that I might be able to use to be able to submit login requests for passwords containing multiple special characters?

        • 1. Re: Tableau Server REST API login problems --- escaping passwords with special characters
          Michel Roberge

          Hi Mac,

           

          I encountered the same issue in a production environment. I contacted Tableau for support, and received the answer quoted at the end of this message.

           

          I tested it and it seems to work (using the escape characters like "&#37;" -without the quotes- for % ) - even when there are multiple escaped characters.

           

          My interpreted answer to your question #3: it is not a bug, it is a technical challenge which belongs to the knowledge base. And the new question now is: what characters should be escaped?

           

          Michel

           

           

          I have heard no indication that the method of handling these characters will be updated to remove this ability, since at this time this is the only method available to use the REST API with a password containing these characters.

           

           

          It would seem if this is updated, it would be to allow the special characters to work when typed normally or to allow multiple special characters to be escaped in a single password. Please note that I am speculating on these changes; I have also not heard any information about those being implemented in any upcoming release of Tableau software.

           

           

          Since the code you are using is not of the type referenced in the Community post above (percent encoding rather than XML or HTML escaping) I would recommend using the HTML escape code for this character, as this is a code fully understood by all browsers and many other programs used for coding and/or scripting. The HTML escape code for % is "&#37;" (without the quotes). This code has been working correctly as long as I have known and should not be changed.

          1 of 1 people found this helpful
          • 2. Re: Tableau Server REST API login problems --- escaping passwords with special characters
            Toby Erkson

            Tableau Community, can you please let the appropriate team(s) know about this (REST API & Documentation ??).  Some adjustments for security -- strong passwording in this case -- needs to be addressed in the various Tableau programming interfaces.

            1 of 1 people found this helpful
            • 3. Re: Tableau Server REST API login problems --- escaping passwords with special characters
              Ben Lower

              Mac Roach thanks for raising this. sorry that we don't have this documented well yet! we've added that to our backlog and will get to that ASAP so that there will be a good list of what characters are allowed/disallowed and how to best escape.

               

              Just playing around a bit with Postman here as a quick test we can login with the REST API for user (name=Zita, pwd=abc&&):

               

              Note: password of 'abc&&' or even 'ab$#99;&amp;&amp;' works:

              <tsRequest>

                <credentials name="Zita" password="abc&amp;&amp;" >

                  <site contentUrl="" />

                </credentials>

              </tsRequest>

               

              This was tested with Tableau Server 10.2. Also, if you use JSON (new in 10.2) you don't even have to escape the ampersands (i.e. 'abc&&' works). This was with leaving the "Accept" header blank (if you set this it must be either 'application/xml' or 'application/json'...it will fail with an internal error if set to 'text/xml')

               

              Does that align with what you are seeing? If not, can you please let us know:

              • Tableau version you are using
              • What password character(s) is/are failing for you

               

              Ben

               

              /cc Michel Roberge Toby Erkson

              1 of 1 people found this helpful
              • 4. Re: Tableau Server REST API login problems --- escaping passwords with special characters
                Martin Pohlers

                I just tested this intensively using calls created with Alteryx with Tableau Server 10.40.

                My findings:

                1: The > character does not need to be escaped which is in line with this.

                2. I could not get the % sign to work out all.

                • Using it without escaping gave me back a bad request (HTTP/1.1 400 Bad Request)
                • Replacing it with "&#37;" (as suggested above) gave me back unauthorized (HTTP/1.1 401 Unauthorized)
                • Replacing it with "%25" (as suggested here) gave me back unauthorized (HTTP/1.1 401 Unauthorized)
                • Replacing it with "%%" (as suggested here) gave me back a bad request (HTTP/1.1 400 Bad Request)

                 

                3. Having any two of the four characters that need escaping (",',&,<) together would lead to unauthorized (HTTP/1.1 401 Unauthorized)

                 

                I think this is a very serious problem because large organisations (especially ones using AD) cannot force the users to leave out specific characters.

                The topic has at least been know since Mac Roach posted it here two years ago. What is the status on it?

                • 5. Re: Tableau Server REST API login problems --- escaping passwords with special characters
                  Martin Pohlers

                  It has been almost a year - are there any updates? The problem is still there. Is there documentation yet available?

                  • 6. Re: Tableau Server REST API login problems --- escaping passwords with special characters
                    Plamen Arnaudov

                    We just encountered this issue and resolved it by making sure that "Content-Type" is set to either "text/xml" or "application/xml" in the outgoing request. When you do that, there is no need to escape the % character.

                     

                    If your outgoing request carries the "application/x-www-form-urlencoded" header, then it seems Tableau expects to see a %25 instead of any % signs.

                     

                    If you can't control the headers in your outgoing request, maybe you can see what they are in the Tableau access logs, not sure.