Oct 30th, 2007, 02:18 AM
Why not move ignorePasswordCase from PlaintextPasswordEncoder to BasePasswordEncoder
Many of our customers don't wanna their password to be case sensitive. Unfortunately, we use ShaPasswordEncoder and can't find a option to turn case off. Then I saw ignorePasswordCase in PlaintextPasswordEncoder. I think it is better to put it in BasePasswordEncoder instead of PlaintextPasswordEncoder.
And then doing a little work in MessageDigestPasswordEncoder.isPasswordValid to support ignorePasswordCase feature will benefit people like us, although I think it is not so safe to ignore password's case.
Oct 30th, 2007, 07:47 AM
I don't think this makes sense. If you want to ignore the case of passwords, then you could convert them to a specific case before they are hashed (both when writing them to the database and when calculating the hash for validation).
You generally can't do a case-insensitive validation of a password against a hash, though.
Oct 31st, 2007, 05:12 PM
I think the problem is the case of the hash, and not the case of the password. I answered a question on this earlier this week.
Adding an option to uppercase the hash string wouldn't be the worst idea in the world :P
Is that what you're asking fireshort?