Re: Review Request: Added PlainTextAuthenticator

Thu, 16 May 2013 05:55:57 -0700 

On 05/16/2013 02:16 PM, Kishan Kavala wrote:

Ove,
   Plain text authenticator will allow logging using the hash value. Or else, 
clients sending MD5 hash will fail to login. This is primarily for backward 
compatibility.
To avoid logging in using has value itself, plain text authenticator can be 
removed from auth adapter list, provided the client sends plain text instead of 
hash.



I'm not seeing the plain-text authenticator in ACS4.0 list of 
authenticators (components.xml). MD5 and LDAP are listed. Help me out, 
where in ACS4.0 is the code to allow login using the password hash itself?


/Ove



~kishan


-----Original Message-----
From: Ove Ewerlid [mailto:ove.ewer...@oracle.com]
Sent: Thursday, 16 May 2013 5:33 PM
To: dev@cloudstack.apache.org; Kishan Kavala
Subject: Re: Review Request: Added PlainTextAuthenticator

Hi Kishan!

Did you verify that adding the plain text authenticator will not allow login
using the hash value itself?


from AccountManagerImpl.java;
   ... getUserAccount ...
   ...
    boolean authenticated = false;
           for(UserAuthenticator authenticator : _userAuthenticators) {
               if (authenticator.authenticate(username, password,
domainId, requestParameters)) {
                   authenticated = true;
                   break;
               }
           }
   ...

/Ove

On 05/16/2013 12:39 PM, Kishan Kavala wrote:


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/11194/
-----------------------------------------------------------

Review request for cloudstack and Chip Childers.


Summary (updated)
-----------------

Added PlainTextAuthenticator


Description (updated)
-------

Added PlainTextAuthenticator for backward compatibility. Removed MD5

auth from PlainTextAuthenticator. It just does plain text compare.



This addresses bug CLOUDSTACK-2516.


Diffs (updated)
-----

    client/tomcatconf/applicationContext.xml.in 849c0bc
    client/tomcatconf/componentContext.xml.in ecd4a11
    plugins/user-authenticators/plain-

text/src/com/cloud/server/auth/PlainTextUserAuthenticator.java 52e7cb3


Diff: https://reviews.apache.org/r/11194/diff/


Testing (updated)
-------

Tested login with password sent as both MD5 hash and plaintext


Thanks,

Kishan Kavala





--
Ove Everlid
System Administrator / Architect / SDN & Linux hacker
Mobile: +46706662363
Office: +4618656913 (note EMEA Time Zone)



--
Ove Everlid
System Administrator / Architect / SDN & Linux hacker
Mobile: +46706662363
Office: +4618656913 (note EMEA Time Zone)






















					Reply via email to