[jboss-jira] [JBoss JIRA] (ELY-1761) Unicode normalization in SASL client breaks some non-ASCII passwords

Philippe Marschall (Jira) issues at jboss.org
Fri Mar 8 03:59:00 EST 2019 

     [ https://issues.jboss.org/browse/ELY-1761?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Philippe Marschall updated ELY-1761:
------------------------------------
    Steps to Reproduce: 
* Connect a WildFly to an Active Directory instance using the LDAP realm.
* Set your Active Directory password to something with  a diaeresis (¨) eg. "aaaaaa¨". Do not use a composed character like ä, as far as we can tell they are working.
* Try to log in to WildFly using something that uses SASL, eg. remote EJB.

  was:
* Connect a WildFly to an Active Directory instance using the LDAP realm.
* Set your Active Directory password to something with  a diaeresis (¨) "aaaaaa¨". Do not use a composed character like ä, as far as we can tell they are working.
* Try to log in to WildFly using something that uses SASL, eg. remote EJB.



> Unicode normalization in SASL client breaks some non-ASCII passwords
> --------------------------------------------------------------------
>
>                 Key: ELY-1761
>                 URL: https://issues.jboss.org/browse/ELY-1761
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: SASL
>    Affects Versions: 1.7.0.Final
>            Reporter: Philippe Marschall
>            Priority: Major
>
> We have users that use U+00A8 ([diaeresis|https://en.wikipedia.org/wiki/Diaeresis_(diacritic)]) as an Active Directory password. They can not log in using the Elytron LDAP realm. Here's the sequence of events:
> * PlainSaslClient.evaluateChallenge calls StringPrep.encode with the profile StringPrep.PROFILE_SASL_STORED https://github.com/wildfly-security/wildfly-elytron/blob/fd74e43caf3e701971b021c3ba8474e83065d049/sasl/plain/src/main/java/org/wildfly/security/sasl/plain/PlainSaslClient.java#L95
> * StringPrep.PROFILE_SASL_STORED ors PROFILE_SASL_QUERY which ors NORMALIZE_KC https://github.com/wildfly-security/wildfly-elytron/blob/fd74e43caf3e701971b021c3ba8474e83065d049/sasl/base/src/main/java/org/wildfly/security/sasl/util/StringPrep.java#L67
> * StringPrep.encode then normalises using NFKC which replaces U+00A8 with U+0020 U+0308 https://github.com/wildfly-security/wildfly-elytron/blob/fd74e43caf3e701971b021c3ba8474e83065d049/sasl/base/src/main/java/org/wildfly/security/sasl/util/StringPrep.java#L199
> * Active Directory rejects the login
> We would be wiling to work on a patch but we need some guidance on the desired solution. A simple solution would be a new profile in StringPrep that doesn't normalize and is used for passwords.



--
This message was sent by Atlassian Jira
(v7.12.1#712002)

More information about the jboss-jira mailing list