Authentication bug?

Jos I. Boumans jos at
Wed Aug 6 17:26:50 UTC 2008


I was just changing a simple app to move away  
from ::Authen::AllowedUsers to
something that authenticates against one of our local systems, when i  
I could connect using *any* username, no matter how i  
configured ::Authen::AllowedUsers.

A bit of debugging shows that the callbacks in there never get  
called. This
looks to be due to me also using ::Authen::StaticPassword (same as  
the test
framework), which has a callback that does this:

   sub get_password {
       my ($self, $cb, %args) = @_;

Since the GetPassword callback is run before the CheckCleartext one,  
->set() is called before AllowedUsers (or any other user/password  
check for
that matter), which calls the following code in

     if ($can_get_password) {
         $vhost->run_hook_chain(phase => "GetPassword",
             args  => [ username => $username, conn => $conn ],
             methods => {
                 set => sub {
                     my (undef, $good_password) = @_;
                         if ($password && $password eq $good_password) {
                         } elsif ($digest) {
                             my $good_dig = lc(Digest::SHA1::sha1_hex 
($conn->{stream_id} . $good_password));
                             if ($good_dig eq $digest) {
                             } else {
                         } else {
             fallback => $reject

This means that any plugin that returns a password in the ->set()  
call will
stop any further username/password checks from being done.

Should this code be abstracted out of Should it go in
instead, so it can be overridden properly? Is it completely wrong and  
be thrown out?



   How do I prove I'm not crazy to people who are?

More information about the Djabberd mailing list