[TYPO3-dev] Services architecture
Steffen Ritter
info at rs-websystems.de
Thu Mar 24 09:24:25 CET 2011
Am 24.03.2011 09:18, schrieb Helmut Hummel:
> Hi Christian,
>
> On 24.03.11 07:06, Christian Lerrahn (Cerebrum) wrote:
>
>> Now, I was rather puzzled (and to be honest a bit shocked) when I found
>> out that rsaauth calls the basic authentication services again instead
>> of just exiting to pass the decrypted password down the chain. This
>> gets even worse when saltedpasswords duplicates rsaauth code to decrypt
>> the password before it checks it against the stored password hash.
>
> I totally agree with you, that this is a hack. Feel free to come up with
> a better working solution for TYPO3 4.6. I would highly appreciate that.
>
> Kind regards,
> Helmut
>
Hello,
currently the login data array is passed to the services on value not on
reference. Therefore the changes of rsauauth would not have been
available to later authServices.
If this is changed what you proposed would easily be possible.
In my first implementation of saltedpasswords I proposed this
implementation-change, which had been abanded by Markus Krause because
he told it would be a potential security risk to store the decrypted
password back to an "public variable".
Any ways changing this behaviour is not difficult - but has to be allowed.
regards
Steffen
More information about the TYPO3-dev
mailing list