[jira] [Commented] (SHIRO-483) passwordsMatch() returns false with right plain password-encrypted password in JVM with default locale tr_TR

Fri, 08 Aug 2014 02:02:39 -0700 

    [ 
https://issues.apache.org/jira/browse/SHIRO-483?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14090497#comment-14090497
 ] 

Christian Schröder commented on SHIRO-483:
------------------------------------------

The way it is makes the security of the system dependent on the locale the 
application is started with. Maybe the upper and lowercasing for technical 
identifiers (like permission strings) should be done by default with Locale.US
It might not always be convenient, but at least it is well defined behavior, 
which IMO is more important especially in the context of security.

It might be necessary to have this configurable, but i doubt it. These 
permission strings are mostly technical and due to the awful history of charset 
encodings i think most people stick to ASCII anyway.

some background to turkish case rules: 
http://www.i18nguy.com/unicode/turkish-i18n.html

> passwordsMatch() returns false with right plain password-encrypted password 
> in JVM with default locale tr_TR
> ------------------------------------------------------------------------------------------------------------
>
>                 Key: SHIRO-483
>                 URL: https://issues.apache.org/jira/browse/SHIRO-483
>             Project: Shiro
>          Issue Type: Bug
>          Components: Authentication (log-in)
>    Affects Versions: 1.2.2
>         Environment: JVM Locale tr_TR
>            Reporter: Salih ERİKCİ
>              Labels: password
>             Fix For: 1.2.3
>
>   Original Estimate: 168h
>  Remaining Estimate: 168h
>
>     public static void main(String[] args) {
>         PasswordService psd = new DefaultPasswordService();
>         String password = "333";
>         String enc = psd.encryptPassword(password);
>         System.out.print(psd.passwordsMatch(password, enc));
>         
>     }
> The above code outputs "false" on JVM which has default locale tr_TR, the 
> following outputs "true"
>     public static void main(String[] args) { 
>         PasswordService psd = new DefaultPasswordService(); 
>         String password = "333"; 
>         String enc = psd.encryptPassword(password); 
>         Locale.setDefault(Locale.ENGLISH); 
>         System.out.print(psd.passwordsMatch(password, enc)); 
>         
>     } 



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to