There is a bug in the way SASLAuthentication handles the challenge/response logic. When the client selects a SASL mechanism, it may pass an initial token to the server. This is minor, since none of the SASL methods supported (currently) will ever do this, but it is the way sasl works. I encountered this while trying to get GSSAPI working, which requires the initial token. Its an easy fix too:
Replace line 165 ( byte[] challenge = ss.evaluateResponse(new byte[0]); ) with this:
byte[] token = new byte[0];
if(doc.isTextOnly()) {
token = StringUtils.decodeBase64(doc.getText()).getBytes(CHARSET);
if(token == null) {
token = new byte[0];
}
}
byte[] challenge = ss.evaluateResponse(token);[/code]