So if you set your password as blah and it gets hashed to xyz and stored
in the users table. Because of the plain text authenticator, you can
use that hashed value as your password now. So specifically the below
will work.
http://localhost:8080/client/api?command=login&username=user&password=blah
http://localhost:8080/client/api?command=login&username=user&password=xyz
This seems bad. Go and try it yourself (just be careful about URL
encoding, + should be %2b). So because of the existence of the plain
text authenticator, passwords are still plain text but they just happen
to be long random strings. Typically in an auth system you store the
hashing type with the hashed value. So then the plain text
authenticator would not even attempt to compare values because it would
see the value was hashed by a different authenticator.
Darren
