Announcement Announcement Module
Collapse
No announcement yet.
Why not move ignorePasswordCase from PlaintextPasswordEncoder to BasePasswordEncoder Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Why not move ignorePasswordCase from PlaintextPasswordEncoder to BasePasswordEncoder

    Many of our customers don't wanna their password to be case sensitive. Unfortunately, we use ShaPasswordEncoder and can't find a option to turn case off. Then I saw ignorePasswordCase in PlaintextPasswordEncoder. I think it is better to put it in BasePasswordEncoder instead of PlaintextPasswordEncoder.
    And then doing a little work in MessageDigestPasswordEncoder.isPasswordValid to support ignorePasswordCase feature will benefit people like us, although I think it is not so safe to ignore password's case.

  • #2
    I don't think this makes sense. If you want to ignore the case of passwords, then you could convert them to a specific case before they are hashed (both when writing them to the database and when calculating the hash for validation).

    You generally can't do a case-insensitive validation of a password against a hash, though.

    Comment


    • #3
      I think the problem is the case of the hash, and not the case of the password. I answered a question on this earlier this week.
      http://forum.springframework.org/showthread.php?t=45514

      Adding an option to uppercase the hash string wouldn't be the worst idea in the world :P

      Is that what you're asking fireshort?

      Comment

      Working...
      X