On Wed, Mar 20, 2013 at 8:34 PM, Chip Childers <chip.child...@sungard.com> wrote: > On Wed, Mar 20, 2013 at 11:26:50AM -0700, Vijayendra Bhamidipati wrote: >> Hi Chip, Prasanna, >> >> Yes, the change is pretty straightforward, the reasoning is to make default >> password encoding more secure because the SHA256salted authenticator >> recently added by Hugo salts the passwords while the existing MD5 >> authenticator doesn't, and is the default. This change gives the CS admin >> the flexibility to choose the ordering of the encoders/authenticators. No >> new authenticator/encoder classes needed to be added, the existing ones are >> simply used better. >> >> Upgrade scenarios were considered and these changes will have no effect on >> upgrades. Only new users and updated users will have their passwords encoded >> by the first valid encoder in the UserPasswordEncoder list. Existing users >> will still get authenticated as before since authentication passes through >> all the authenticators available in the UserAuthenticator list until one of >> them succeeds or all fail. >> >> Regards, >> Vijay > > Does everyone believe that this is a valid change for 4.1? Or should we > wait for 4.2 or 4.1.1? >
4.2 Review request is for master Lets try an minimize change to 4.1 if at all possible. --David
