AllowedRegexRule passes the validation of a non compliant password

[IntelMaxC]

Let String regexp = "^\\p{IsAlphabetic}+"; the regular expression that allows the letters only.

The corresponding rule of Passay is defined as

AllowedRegexRule allowedRegexRule = new AllowedRegexRule(regexp, UNICODE_CHARACTER_CLASS); PasswordValidator validator = new PasswordValidator(allowedRegexRule);

The validation passes for all string starting with at least one character allowed by the regular expression:

validator.validate(new PasswordData("hello!"));

returns true, event if the exclamation mark character is not allowed by the regular expression.

Analysis: The AllowedRegexRule.validate method (at row 64) uses the Matcher.find instead of the Matcher.matches method

[dfish3r]

We use find to support both use cases. You can do a partial match or complete match based on your requirements.

In order to perform an entire match you would add an end-of-line character to your regex: ^\\p{IsAlphabetic}+$

[IntelMaxC]

Ok, clear. Thank you so much for the support.