Ove, Plain text authenticator will allow logging using the hash value. Or else, clients sending MD5 hash will fail to login. This is primarily for backward compatibility. To avoid logging in using has value itself, plain text authenticator can be removed from auth adapter list, provided the client sends plain text instead of hash.
~kishan > -----Original Message----- > From: Ove Ewerlid [mailto:ove.ewer...@oracle.com] > Sent: Thursday, 16 May 2013 5:33 PM > To: dev@cloudstack.apache.org; Kishan Kavala > Subject: Re: Review Request: Added PlainTextAuthenticator > > Hi Kishan! > > Did you verify that adding the plain text authenticator will not allow login > using the hash value itself? > > > from AccountManagerImpl.java; > ... getUserAccount ... > ... > boolean authenticated = false; > for(UserAuthenticator authenticator : _userAuthenticators) { > if (authenticator.authenticate(username, password, > domainId, requestParameters)) { > authenticated = true; > break; > } > } > ... > > /Ove > > On 05/16/2013 12:39 PM, Kishan Kavala wrote: > > > > ----------------------------------------------------------- > > This is an automatically generated e-mail. To reply, visit: > > https://reviews.apache.org/r/11194/ > > ----------------------------------------------------------- > > > > Review request for cloudstack and Chip Childers. > > > > > > Summary (updated) > > ----------------- > > > > Added PlainTextAuthenticator > > > > > > Description (updated) > > ------- > > > > Added PlainTextAuthenticator for backward compatibility. Removed MD5 > auth from PlainTextAuthenticator. It just does plain text compare. > > > > > > This addresses bug CLOUDSTACK-2516. > > > > > > Diffs (updated) > > ----- > > > > client/tomcatconf/applicationContext.xml.in 849c0bc > > client/tomcatconf/componentContext.xml.in ecd4a11 > > plugins/user-authenticators/plain- > text/src/com/cloud/server/auth/PlainTextUserAuthenticator.java 52e7cb3 > > > > Diff: https://reviews.apache.org/r/11194/diff/ > > > > > > Testing (updated) > > ------- > > > > Tested login with password sent as both MD5 hash and plaintext > > > > > > Thanks, > > > > Kishan Kavala > > > > > > > -- > Ove Everlid > System Administrator / Architect / SDN & Linux hacker > Mobile: +46706662363 > Office: +4618656913 (note EMEA Time Zone)
