RFC4616 states that if the authorization identity (authzid) parameter is
null, then it is derived from the authentication
identity (authcid). Smack currently sets both, authzid and authcid, to
the username, resulting in auth attempts of
userid\0userid\0password
instead of
userid\0password
Which are different users on most systems (e.g. Kerberos).
We now set only SASLMechanism.authenticationId to username. The
authenticate(String, CallbackHandler) method does now not longer receive
the username, as it's send by the CallbackHandler.
Florian Schmaus