[TYPO3-dev] Services architecture

[Christian Lerrahn]

Hi Steffen,
On Thu, 24 Mar 2011 09:24:25 +0100
Steffen Ritter <info at rs-websystems.de> wrote:

> Am 24.03.2011 09:18, schrieb Helmut Hummel:
> > Hi Christian,
> >
> > On 24.03.11 07:06, Christian Lerrahn (Cerebrum) wrote:
> >
> >> Now, I was rather puzzled (and to be honest a bit shocked) when I
> >> found out that rsaauth calls the basic authentication services
> >> again instead of just exiting to pass the decrypted password down
> >> the chain. This gets even worse when saltedpasswords duplicates
> >> rsaauth code to decrypt the password before it checks it against
> >> the stored password hash.
> >
> > I totally agree with you, that this is a hack. Feel free to come up
> > with a better working solution for TYPO3 4.6. I would highly
> > appreciate that.
> >
> > Kind regards,
> > Helmut
> >
> Hello,
> currently the login data array is passed to the services on value not
> on reference. Therefore the changes of rsauauth would not have been 
> available to later authServices.

I noticed that. I believe this is actually what set me on the path of
finding out that things were not at all as I first imagined.

> If this is changed what you proposed would easily be possible.
> In my first implementation of saltedpasswords I proposed this 
> implementation-change, which had been abanded by Markus Krause
> because he told it would be a potential security risk to store the
> decrypted password back to an "public variable".
> 
> Any ways changing this behaviour is not difficult - but has to be
> allowed.

Well, I commented on that in my reply to Dmitry's post. I believe that
the increased security risk is negligible and the benefit of
transparency outweighs it very clearly. Again, I believe that if there
is a trust issue that deep down in the code, the install cannot be
considered secure any more, anyway.

Cheers,
Christian