Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
1.0-RC2
-
None
-
None
-
None
Description
While stepping throgh the Bind code base, I saw that the password is compared using its byte[] representation :
userPassword = ( ( String ) userPassword ).getBytes();
...
credentialsMatch = ArrayUtils.isEquals( creds, userPassword );
in SimpleAuthenticator class. The problem is that ( ( String ) userPassword ).getBytes() may returns a wrong string if the password contains UTF-8 chars but the local encoding is not UTF-8 (W$ users, mainly, who use ISO-8859-1)
This line should be : userPassword = StringTools.getBytesUtf8( ( String ) userPassword );
Of course, the password must be contained in a UTF-8 file (server.xml must be declared as UTF-8 encoded)