Hi list, I'm on a dilemma on whether I should secure user credentials (at least the password) before sending over HTTPS to a Shiro-protected REST API.
Am I wrong to assume that if I salt my password in the client and send it to the REST login, Shiro won't be able to check it against my database? What would be your approach for an mobile client that needs to authenticate before any REST requests are made? Cheers, -- Paulo Pires
