I recently had to implement a User class that had to have his password hashed with
Apache's APR variation of MD5 . It should have been a easy job where I just override a hashing function and change the length of the salt from 16 to 8 characters. Instead I had to copy-paste the source code of MappedPassword and rewrite bits because :
1. there is no overridable function that calculates the hash from a password and salt. Instead hash("{"+value+"} salt={"+salt_i.get+"}")is used in multiple places.
2. salt_i is a private field that is not initialised from a function and is used all over the place
For future extendibility I suggest that a hashing is done by a protected overridable method and that salt_i is either made protected or is initialised from an overridable function.
Do you think that this makes sense? If yes I'm more than happy to open a ticker and/or provide the possible implementation diff?
Cristian