[TYPO3-dev] Services architecture
Marcus Krause
marcus#exp2011 at t3sec.info
Sat Mar 26 13:42:08 CET 2011
Hi!
Helmut Hummel schrieb am 03/24/2011 06:47 PM Uhr:
> Hi,
>
> But I also want to hear at least Marcus' statement on that, since he
> seemed to be the first one rasing concerns in handing over the decrypted
> password to another part of the code.
Creation of EXT:saltedpasswords is years ago. I actually do not remember
why we dit it the way it is now or if there was a conscious decission to
do it that way.
rsaauth is build as an authentication service (bringing RSA encryption
with it), not a general "secure data transfer service".
In regards to saltedpasswords:
It requires plain-text passwords to work with when authentication
starts. You obviously want to send them encrypted.
So this is why:
"Let's use the 'secure transfer' stuff from rsaauth and make a custom
authentication that's aware of salted passwords" and ...
"saltedpasswords" was born.
Reading the sentences above, I believe it's not saltedpasswords' task to
make decrypted credentials available to the rest of the authentication
service chain.
I believe we need to have a service that provides secure data transfer
(RSA) and then trigger the authentication service chain with decrypted
credentials.
Marcus.
More information about the TYPO3-dev
mailing list