I have added support in 1.5.0 for SimpleAuthenticator for using hash-encoded passwords in server.xml, whereas previously it only supported hash-encoded passwords passed in to the BIND, and cleartext password in server.xml.
I'm happy to raise a JIRA and submit a patch / commit my change but first I wanted to ask some questions: 1. Is the current hash-encode support designed to stop cleartext passwords being transmitted when LDAPS is not being used? If so, isn't the fact that the admin password is in cleartext in server.xml also a cause for concern? 2. My current implementation handles all four cases for BIND password (hash-encode / cleartext) and server.xml password (hash-encoded / cleartext), where if both are in the same format then they are just compared literally. I'm a little uneasy about handling the hash-encode v. hash-encoded case as a literal comparison, because then the hash effecitively becomes the cleartext password. Does anyone have any opinions on whether I should I explicitly exclude support for this case, and always fail authentication for it (my feeling is perhaps I should)?
