On 08/04/2011 11:00 PM, Lukas Zeller wrote:
Hello Andris,
On Aug 4, 2011, at 15:22 , Andris Pavenis wrote:
There is note in TPluginApiAgent::CheckLogin() that plain text authentication
is impossible when plugin uses password verifucation type
Password_MD5_Nonce_IN.
I guess it is still possible as one have access to
- user name
- password
- nonce value (it may however be queried in the begin of method)
From these data one can generate MD5(MD5(user:pwd):nonce)
to provide to the plugin for authentication. This situation is useful
when real authentication check is provided by other server outside
the libsynthesis plugin and this server does not provide autside
access neither to password nor MD5(user:pwd).
Makes perfect sense. Thanks for the patch! Would you mind entering the
contributor agreement (see explanation and link at
http://www.synthesis.ch/indefero/index.php/p/libsynthesis/), so I can include
the patch into the libsynthesis repo?
I don't recall why I decided to reject plain text auth with a DB that can check
MD5+nonce when I wrote that code. Probably I didn't believe that clients would
actually use plain text auth any more. But as you point out, using it is not
completely insane if transport is always SSL (I hope it is, in case of that
Fumabol client?).
Still, I see no reason why any client should still use plain text. It's simply
bad practice to transmit original secrets. Of course you can't intercept them
from the SSL connection, but all layers of the software at the server end of
the SSL connection will see and pass that secret around. That does not speak
against your patch, of course!
Attached is some very preliminary patch to include support
for plain text login in this case. It does not check config setting
whether plain text authorisation should be allowed at all
(plain text login is not so bad evil in case of using SSL).
There's no need to check that in the plugin. Checking if plain text auth is
allowed at all in the config is done in SyncSession for all types of DB
backends (after asking the plugin - so even if the plugin says ok, but config
disallows plain text, the login will be rejected).
With this patch authentication of Funambol Android client
from Android Market (which uses plain text login and XML)
suceeded even if this cĺient still does not working with
libsynthesis based server (and seems that I'll have to give
up in attempts to get it working).
:-( What kind of other obstacles did you run into with that client?
After authentication was fixed by applying a patch
- the next problem was that Funambol client tried to synchronize
datastore 'configuration' (name on server side)
which was not found
- I put something in libsynthesis XML configuration and our server database.
After that client tried to do normal synchronization (alert code 200).
Server responded that slow synchronization
is required (code 508). Client gave up and reported error. This all
happened when I tried to configure the
client. When these steps did not succeed client did not even store
server parameters (URL, user name and password)
so I did not got so far that I could test real syncronization.
It looks like Funambol Android client requires some special handing on
server side that is perhaps only
implemented in their server.
Andris
_______________________________________________
os-libsynthesis mailing list
os-libsynthesis@synthesis.ch
http://lists.synthesis.ch/mailman/listinfo/os-libsynthesis
