Niko Usai created JAMES-3868:

             Summary: Cannot handle IMAP PLAIN login with password longer than 
255 char
                 Key: JAMES-3868
             Project: James Server
          Issue Type: Bug
    Affects Versions: 3.6.0
            Reporter: Niko Usai

There is a bug, in my opinion, in how `AuthenticateProcessor` handles PLAIN 
login omitting authorization identity.
The fact is when authorization identity is blank the password field is parsed 
with Username.of() that has the 255 char limitation, and it expects to raise an 
exception when looking for the 3rd missing argument, where the password should 
be, which has not this limitation.
These leads to an "IllegalArgumentException" of the Username class creating an 
invalid AuthenticationAttempt.

String userpass = new String(Base64.getDecoder().decode(initialClientResponse));
StringTokenizer authTokenizer = new StringTokenizer(userpass, "\0");
String token1 = authTokenizer.nextToken();  // Authorization Identity
token2 = authTokenizer.nextToken();                 // Authentication Identity
try {
    return delegation(Username.of(token1), Username.of(token2), 
} catch (java.util.NoSuchElementException ignored) {
    // If we got here, this is what happened.  RFC 2595
    // says that "the client may leave the authorization {code}


This message was sent by Atlassian Jira

To unsubscribe, e-mail:
For additional commands, e-mail:

Reply via email to