[jboss-jira] [JBoss JIRA] (ELY-1761) Unicode normalization in SASL client breaks some non-ASCII passwords
Philippe Marschall (Jira)
issues at jboss.org
Fri Mar 8 03:19:00 EST 2019
Philippe Marschall created ELY-1761:
---------------------------------------
Summary: Unicode normalization in SASL client breaks some non-ASCII passwords
Key: ELY-1761
URL: https://issues.jboss.org/browse/ELY-1761
Project: WildFly Elytron
Issue Type: Bug
Components: SASL
Affects Versions: 1.7.0.Final
Reporter: Philippe Marschall
We have users that use U+00A8 ([diaeresis|https://en.wikipedia.org/wiki/Diaeresis_(diacritic)]) as an Active Directory password. They can not log in using the Elytron LDAP realm. Here's the sequence of events:
* PlainSaslClient.evaluateChallenge calls StringPrep.encode with the profile StringPrep.PROFILE_SASL_STORED https://github.com/wildfly-security/wildfly-elytron/blob/fd74e43caf3e701971b021c3ba8474e83065d049/sasl/plain/src/main/java/org/wildfly/security/sasl/plain/PlainSaslClient.java#L95
* StringPrep.PROFILE_SASL_STORED ors PROFILE_SASL_QUERY which ors NORMALIZE_KC https://github.com/wildfly-security/wildfly-elytron/blob/fd74e43caf3e701971b021c3ba8474e83065d049/sasl/base/src/main/java/org/wildfly/security/sasl/util/StringPrep.java#L67
* StringPrep.encode then normalises using NFKC which replaces U+00A8 with U+0020 U+0308 https://github.com/wildfly-security/wildfly-elytron/blob/fd74e43caf3e701971b021c3ba8474e83065d049/sasl/base/src/main/java/org/wildfly/security/sasl/util/StringPrep.java#L199
* Active Directory rejects the login
We would be wiling to work on a patch but we need some guidance on the desired solution. A simple solution would be a new profile in StringPrep that doesn't normalize and is used for passwords.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
More information about the jboss-jira
mailing list