It's not a good idea to iterate on all authenticators, if the real authenticator fails for some reason( if it's not able to handle some exception properly) it will continue on invalid authenticators and may result in wrong value/result.
Thanks Rajesh Battala -----Original Message----- From: Ian Duffy [mailto:i...@ianduffy.ie] Sent: Friday, September 13, 2013 2:52 AM To: CloudStack Dev Subject: Re: plain text authenticator > Don't authenticators work as plugins in cloudstack with plain text authenticator as default? I think we should leave it for the customer to decide whether he wants to disable or keep the authenticator Couldn't agree more with this! Going through each authenticator until a successful result is found is horrible! On 12 September 2013 19:09, Frank Zhang <frank.zh...@citrix.com> wrote: > Are all authentication plugins loaded by default and working in an > authentication chain? > Otherwise why should we keep the hash type in DB? > > > -----Original Message----- > > From: Darren Shepherd [mailto:darren.s.sheph...@gmail.com] > > Sent: Thursday, September 12, 2013 9:56 AM > > To: dev@cloudstack.apache.org > > Subject: plain text authenticator > > > > So if you set your password as blah and it gets hashed to xyz and > > stored > in the > > users table. Because of the plain text authenticator, you can use > > that > hashed > > value as your password now. So specifically the below will work. > > > > http://localhost:8080/client/api?command=login&username=user&passwor > > d=b > > lah > > > > http://localhost:8080/client/api?command=login&username=user&passwor > > d=x > > yz > > > > This seems bad. Go and try it yourself (just be careful about URL > encoding, + > > should be %2b). So because of the existence of the plain text > authenticator, > > passwords are still plain text but they just happen to be long > > random > strings. > > Typically in an auth system you store the hashing type with the > > hashed > value. > > So then the plain text authenticator would not even attempt to > > compare > values > > because it would see the value was hashed by a different authenticator. > > > > Darren >