A HashService is a general-purpose hashing mechanism for any type of data that needs to be hashed - files, strings, passwords, etc. The output of a HashService invocation is a Hash object, which wraps a byte array (aka the 'digest').
Password hashing builds upon general purpose hashing - not only does the password need to be hashed, but the resulting hash output is almost always encoded in a text format - typically Modular Crypt Format (MCF) - suitable for database storage. The password service should also know how to compare one of these stored MCF strings with a submitted raw password and indicate whether or not the submitted value is correct. These two features are an extra layer of functionality 'on top of' general purpose hashing. This is why there are two separate concepts - password hashing should not be tightly coupled to general purpose hashing and vice versa. If you look at the DefaultPasswordService implementation [1], you will see that it delegates to a HashService to do the hashing and then it delegates to a HashFormat instance to do the MCF-formatting. This is a common theme in Shiro's design: lower-level functionality is built upon by layering in additional functionality (via OO Composition) to compose more and more capabilities. I hope that helps! Cheers, Les [1] https://svn.apache.org/repos/asf/shiro/branches/2.0-api-design-changes/core/src/main/java/org/apache/shiro/authc/credential/DefaultPasswordService.java On Wed, Sep 9, 2015 at 6:42 AM, Sreyan Chakravarty <[email protected] > wrote: > > If there is already a Hash Service is Shiro then why is there a Password > Service in Shiro ? What is the reason for there to be two similar things > there ? > > Whats the difference ? Where would you use which ? > > Regards > Sreyan Chakravarty > >
