Bob Markle (Migrated from SEC-1764) said:
Fix - line 104: has been tested with "org.springframework.security.core_3.0.3.RELEASE" on z/OS 1.12
was: return prefix + new String(Base64.encode(hash));
change: return prefix + new String(Base64.encode(hash), "UTF-8");
MD4PasswordEncoder.java also looks like it has same issue.
Luke Taylor said:
Thanks for the report. I've updated password encoders to replace calls to new String(byte) with Utf8 encoded values.