bug CS-14663: accepting encoded password for MD5

2012-04-28 12:36:48 +05:30 · 2012-04-28 12:36:48 +05:30 · 13b927fb25
parent 2f001e6413
commit 13b927fb25
2 changed files with 4 additions and 6 deletions
--- a/server/src/com/cloud/server/auth/MD5UserAuthenticator.java
+++ b/server/src/com/cloud/server/auth/MD5UserAuthenticator.java
@ -12,9 +12,6 @@
 // Automatically generated by addcopyright.py at 04/03/2012
 package com.cloud.server.auth;

-import java.math.BigInteger;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
 import java.util.Map;

 import javax.ejb.Local;
@ -26,7 +23,6 @@ import com.cloud.server.ManagementServer;
 import com.cloud.user.UserAccount;
 import com.cloud.user.dao.UserAccountDao;
 import com.cloud.utils.component.ComponentLocator;
-import com.cloud.utils.exception.CloudRuntimeException;

 /**
 * Simple UserAuthenticator that performs a MD5 hash of the password before 
@ -51,6 +47,7 @@ public class MD5UserAuthenticator extends DefaultUserAuthenticator {
            return false;
        }
        
+        /**
        MessageDigest md5;
        try {
            md5 = MessageDigest.getInstance("MD5");
@ -68,12 +65,13 @@ public class MD5UserAuthenticator extends DefaultUserAuthenticator {
            sb.append('0');
        }
        sb.append(pwStr);
+        **/
        
        // Will: The MD5Authenticator is now a straight pass-through comparison of the
        // the passwords because we will not assume that the password passed in has
        // already been MD5 hashed.  I am keeping the above code in case this requirement changes
        // or people need examples of how to MD5 hash passwords in java.
-        if (!user.getPassword().equals(sb.toString())) {
+        if (!user.getPassword().equals(password)) {
            s_logger.debug("Password does not match");
            return false;
        }
--- a/ui/scripts/sharedFunctions.js
+++ b/ui/scripts/sharedFunctions.js
@ -33,7 +33,7 @@ var ERROR_VMOPS_ACCOUNT_ERROR = 531;

 // Default password is MD5 hashed.  Set the following variable to false to disable this.
 var md5Hashed = true;
-var md5HashedLogin = false;
+var md5HashedLogin = true;

 //page size for API call (e.g."listXXXXXXX&pagesize=N" )
 var pageSize = 20;