[jboss-jira] [JBoss JIRA] (ELY-1761) Unicode normalization in SASL client breaks some non-ASCII passwords

Darran Lofthouse (Jira) issues at jboss.org
Thu Apr 25 12:59:00 EDT 2019 

     [ https://issues.jboss.org/browse/ELY-1761?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse updated ELY-1761:
----------------------------------
    Fix Version/s: 2.0.0.Alpha4


> Unicode normalization in SASL client breaks some non-ASCII passwords
> --------------------------------------------------------------------
>
>                 Key: ELY-1761
>                 URL: https://issues.jboss.org/browse/ELY-1761
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: SASL
>    Affects Versions: 1.7.0.Final
>            Reporter: Philippe Marschall
>            Assignee: Darran Lofthouse
>            Priority: Major
>             Fix For: 1.9.0.CR3, 2.0.0.Alpha4
>
>
> We have users that use U+00A8 ([diaeresis|https://en.wikipedia.org/wiki/Diaeresis_(diacritic)]) as an Active Directory password. They can not log in using the Elytron LDAP realm. Here's the sequence of events:
> * PlainSaslClient.evaluateChallenge calls StringPrep.encode with the profile StringPrep.PROFILE_SASL_STORED https://github.com/wildfly-security/wildfly-elytron/blob/fd74e43caf3e701971b021c3ba8474e83065d049/sasl/plain/src/main/java/org/wildfly/security/sasl/plain/PlainSaslClient.java#L95
> * StringPrep.PROFILE_SASL_STORED ors PROFILE_SASL_QUERY which ors NORMALIZE_KC https://github.com/wildfly-security/wildfly-elytron/blob/fd74e43caf3e701971b021c3ba8474e83065d049/sasl/base/src/main/java/org/wildfly/security/sasl/util/StringPrep.java#L67
> * StringPrep.encode then normalises using NFKC which replaces U+00A8 with U+0020 U+0308 https://github.com/wildfly-security/wildfly-elytron/blob/fd74e43caf3e701971b021c3ba8474e83065d049/sasl/base/src/main/java/org/wildfly/security/sasl/util/StringPrep.java#L199
> * Active Directory rejects the login
> We would be wiling to work on a patch but we need some guidance on the desired solution. A simple solution would be a new profile in StringPrep that doesn't normalize and is used for passwords.



--
This message was sent by Atlassian Jira
(v7.12.1#712002)

More information about the jboss-jira mailing list