[MAGNOLIA-631] md5 password encryption Created: 10/Feb/06  Updated: 23/Jan/13  Resolved: 29/May/06

Status: Closed
Project: Magnolia
Component/s: None
Affects Version/s: None
Fix Version/s: 3.0 RC1

Type: Task Priority: Minor
Reporter: Sameer Charles Assignee: Sameer Charles
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Acceptance criteria:
Empty
Task DoR:
Empty
Date of First Response:

 Description   

1. implement on client - javascipt (already on svn, needs to be tested)
2. Update Authenticator accordingly



 Comments   
Comment by Sameer Charles [ 26/May/06 ]

Done

  • Extracted MD5CallbackHandler and Base64CallbackHandler from CredentialsCallbackHandler
Comment by Fabrizio Giustina [ 28/May/06 ]

Hi Sameer,
after recent changes authentication stopped working totally for me...

I have currently fixed it by modifying part of the code and I am reopening this just for discussion, here are my thoughts:
md5 should IMHO never be calculated client-side (expecially using javascript), a plain form should always work. It should also work without using the standard magnolia authentication module, which expected password to be already hashed, while others usually don't (in order to protect the trasmitted password users should use https, if this was your concern).
Md5 should be calculated on the authentication module, because only the authentication module can know how the server password is stored and how to compare them.

I have now removed the client-side javascript and updated authenticator accordingly, please check if everything is ok for you.

Comment by Sameer Charles [ 28/May/06 ]

you are right! I agree
haven't checked your changes yet but will do so on monday.

  • Thanks
Comment by Sameer Charles [ 29/May/06 ]

Hi fabrizio

its working, now I would like to cleanup and replace MD5 callback handler with plain text callback handler.
will update accordingly.

Comment by Sameer Charles [ 29/May/06 ]

Replaced MD5 callback handler with plain text, removed any MD5 encryption.

Generated at Mon Feb 12 03:19:21 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.