[jboss-jira] [JBoss JIRA] (ELY-1761) Unicode normalization in SASL client breaks some non-ASCII passwords

Unicode normalization in SASL client breaks some non-ASCII passwords -------------------------------------------------------------------- Key: ELY-1761 URL: https://issues.jboss.org/browse/ELY-1761 Project: WildFly Elytron Issue Type: Bug Components: SASL Affects Versions: 1.7.0.Final Reporter: Philippe Marschall Assignee: Darran Lofthouse Priority: Major Fix For: 1.9.0.CR3, 2.0.0.Alpha4 We have users that use U+00A8 ([diaeresis|https://en.wikipedia.org/wiki/Diaeresis_(diacritic)]) as an Active Directory password. They can not log in using the Elytron LDAP realm. Here's the sequence of events: * PlainSaslClient.evaluateChallenge calls StringPrep.encode with the profile StringPrep.PROFILE_SASL_STORED https://github.com/wildfly-security/wildfly-elytron/blob/fd74e43caf3e7019... * StringPrep.PROFILE_SASL_STORED ors PROFILE_SASL_QUERY which ors NORMALIZE_KC https://github.com/wildfly-security/wildfly-elytron/blob/fd74e43caf3e7019... * StringPrep.encode then normalises using NFKC which replaces U+00A8 with U+0020 U+0308 https://github.com/wildfly-security/wildfly-elytron/blob/fd74e43caf3e7019... * Active Directory rejects the login We would be wiling to work on a patch but we need some guidance on the desired solution. A simple solution would be a new profile in StringPrep that doesn't normalize and is used for passwords.