[
https://issues.apache.org/jira/browse/CODEC-182?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17869881#comment-17869881
]
Sebb commented on CODEC-182:
----------------------------
It does seem odd to insist on providing a prefix (albeit not yet validated)
when invoking a method that specifies the algorithm version in its name.
Would it make sense to allow the prefix to be omitted?
Then what about the rounds= qualifier? That would still need to be provided as
part of the salt.
I'm not sure it is possible to allow for a 'real salt' except by extending the
API.
> Allow real salts in Sha2Crypt
> -----------------------------
>
> Key: CODEC-182
> URL: https://issues.apache.org/jira/browse/CODEC-182
> Project: Commons Codec
> Issue Type: Bug
> Affects Versions: 1.9
> Reporter: Felix Kaser
> Priority: Minor
>
> The javadoc for all the methods in Sha2Crypt clearly states to pass a "real
> salt" in as parameter, without prefix and without "rounds=...". But the crypt
> method first of all checks if the salt matches a regex pattern, which
> requires it to contain at least a leading $5$ or $6$, possibly a rounds=...
> and then the real salt.
> Imho either the javadoc should be adapted to tell developers which salt to
> pass in, or the crypt method should match the salt after adding the prefix
> itself.
> I am new to the apache commons community, so please correct me if I'm totally
> wrong here.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
