[ http://issues.apache.org/jira/browse/DIRSERVER-582?page=comments#action_12367106 ] Emmanuel Lecharny commented on DIRSERVER-582: --------------------------------------------- We have the same probelm in getAlgorithmForHashedPassword method : sPassword = new String( ( byte[] ) password ); is wrong, it should be sPassword = StringTools.utf8ToString( ( byte[] ) password ); > <potential bug in password comparison > ------------------------------------- > > Key: DIRSERVER-582 > URL: http://issues.apache.org/jira/browse/DIRSERVER-582 > Project: Directory ApacheDS > Type: Bug > Versions: 1.0-RC2 > Reporter: Emmanuel Lecharny > > While stepping throgh the Bind code base, I saw that the password is compared using its byte[] representation : > userPassword = ( ( String ) userPassword ).getBytes(); > ... > credentialsMatch = ArrayUtils.isEquals( creds, userPassword ); > in SimpleAuthenticator class. The problem is that ( ( String ) userPassword ).getBytes() may returns a wrong string if the password contains UTF-8 chars but the local encoding is not UTF-8 (W$ users, mainly, who use ISO-8859-1) > This line should be : userPassword = StringTools.getBytesUtf8( ( String ) userPassword ); > Of course, the password *must* be contained in a UTF-8 file (server.xml must be declared as UTF-8 encoded) -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira