Hi folks, I've committed a good bit of code to trunk that allows for safe acquisition of a salt from AuthenticationInfo when hashing passwords. I also created a nice little RandomNumberGenerator abstraction which can be used for generating random (and secure) salts, initialization vectors, or any other type of cryptographic seed data. Shiro end-users can use this in their own apps for user-account salt creation. This is _much_ better and safer than using any account-related data (e.g. username or something else) as the salt.
Also, existing AuthenticationInfo implementations have been updated to support this. I've written a few test cases to verify that the new behavior works and that I've retained backwards compatibility (although it is highly recommended to use the new approach since user-submission-derived salts are dangerous). See the HashedCredentialsMatcherTest 'testSaltedAuthenticationInfo' test case to see a good/common example of how the new salt support would work in a typical application. Anyway, feedback is welcome. If I don't hear anything, I'll resolve the issue and consider it finished for 1.1 (issue: Here's the issue: https://issues.apache.org/jira/browse/SHIRO-186) Cheers, -- Les Hazlewood Founder, Katasoft, Inc. Application Security Products & Professional Apache Shiro Support and Training: http://www.katasoft.com
