Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
Description
Extract from DefaultHasher javadoc: When a salt is not specified in a request, this implementation generates secure random salts via its
{@link #setRandomNumberGenerator(org.apache.shiro.crypto.RandomNumberGenerator) randomNumberGenerator}property.
Random salt is generated, but never assigned (line 155):
if (publicSaltBytes == null)