You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Maria Jurcovicova (JIRA)" <ji...@apache.org> on 2011/06/03 12:17:47 UTC
[jira] [Updated] (SHIRO-302) DefaultHasher does not generate random
salt
[ https://issues.apache.org/jira/browse/SHIRO-302?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Maria Jurcovicova updated SHIRO-302:
------------------------------------
Attachment: patch-defaulthasher.patch
Attached patch assignes generated salt to the variable:
if (publicSaltBytes == null) {
publicSaltBytes = getRandomNumberGenerator().nextBytes().getBytes();
}
It adds unit test too.
> DefaultHasher does not generate random salt
> -------------------------------------------
>
> Key: SHIRO-302
> URL: https://issues.apache.org/jira/browse/SHIRO-302
> Project: Shiro
> Issue Type: Bug
> Components: Cryptography & Hashing
> Reporter: Maria Jurcovicova
> Attachments: patch-defaulthasher.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> Extract from DefaultHasher javadoc: When a salt is not specified in a request, this implementation generates secure random salts via its {@link #setRandomNumberGenerator(org.apache.shiro.crypto.RandomNumberGenerator) randomNumberGenerator} property.
> Random salt is generated, but never assigned (line 155):
> if (publicSaltBytes == null) {
> getRandomNumberGenerator().nextBytes().getBytes();
> }
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira