The custom authentication realm used by karaf-tomcat's "opendaylight" realm in Opendaylight before Helium SR3 will authenticate any username and password combination.Referenceshttp://www.openwall.com/lists/oss-security/2015/03/20/3http://www.securityfocus.com/bid/73255https://wiki.opendaylight.org/view/Security_Advisorieshttps://cloudrouter.org/security/
