Hello all, I was beginning to port this PR: https://github.com/apache/shiro/pull/36
It is quite straightforward. I just got a single API question. I found that the decrypt method doesn't throw the cryptoException anymore. There are multiple ways to fix this: 1. Go ahead and document the new behaviour. Custom implementations of cipher might break or need adjustment. 2. Try to decrypt and wipe immediately. This will throw the exception as early as before, but now the cipher text is decrypted twice. 3. Drop the PR because of the breaking change. Maybe wiping deciphered text is not that important anymore? 4. Release as shiro 2.x I do not agree with both breaking changes and not wiping the array. Sonce most users do not implement custom ciphers, I'd go for option 1. Original issue: https://issues.apache.org/jira/plugins/servlet/mobile#issue/SHIRO-349 Best regards, Ben
