Answered in more length in the issue, but tl;dr; If you use the Crypt class directly for other purposes, you are free to provide whatever you like as salt, but using it for Password, the username should be used as the salt.
On 24 August 2017 at 04:22, Alvin Lin <[email protected]> wrote: > From my code reading I see that > org.eclipse.jetty.util.securit.Password takes in 2 arguments, username > (optional) and password. However if I trace trough the code, the > username eventually become the salt (by taking the first 2 character) > for hashing password. > > So I am wondering why does org.eclipse.jetty.util.securit.Password > document the first optional argument as "username"; why not just > document it as "salt"? Should we pass in username or can we pass in > some random string? > > I asked the same question on Github: > https://github.com/eclipse/jetty.project/issues/1762 but I thought > asking this kind of question on mailing list is probably more > appropriate. > > Thanks, > Alvin > _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/jetty-users > -- Greg Wilkins <[email protected]> CTO http://webtide.com
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
