Hi Les, This issue arose for me because of some weird utf8 encoding/decoding transformation that was done in our pre-Shiro authentication implementation. I solved it this backwards compatibility issue by including the utf8 encoder/decoder from openjdk in my project and calling it for old passwords.
Anyway, it did get me thinking about UTF8... For "normal" passwords, such as those in low-order ascii or common languages, I would expect the encoding to be stable between java versions. It looks like there are some corner cases where a character encoding might change, so if someone specifies a password with one of these oddball cases, password matching will fail between Java versions. It seems safer to use UTF32 for all plain password to byte array conversions since it is a simpler transformation than UTF8. But that said, UTF8 seems like a reasonable implementation for 99.999% of use cases. Best, Dan -- View this message in context: http://shiro-user.582556.n2.nabble.com/UTF-8-password-encoding-issue-with-Java-1-6-releases-tp6308011p6314348.html Sent from the Shiro User mailing list archive at Nabble.com.
