Returns a salt value used to hash the token's credentials.
<p/>
This default implementation merely returns {@code token.getPrincipal()}, effectively using the user's
identity (username, user id, etc) as the salt, a most common technique. If you wish to provide the
authentication token's salt another way, you may override this method.
@param token the AuthenticationToken submitted during the authentication attempt.
@return a salt value to use to hash the authentication token's credentials.
deprecated("") since Shiro 1.1. Hash salting is now expected to be based on if the {@link AuthenticationInfo}
returned from the {@code Realm} is a {@link SaltedAuthenticationInfo} instance and its
{@link hunt.shiro.authc.SaltedAuthenticationInfo#getCredentialsSalt() getCredentialsSalt()} method returns a non-null value.
This method and the 1.0 behavior still exists for backwards compatibility if the {@code Realm} does not return
{@code SaltedAuthenticationInfo} instances, but <b>it is highly recommended that {@code Realm} implementations
that support hashed credentials start returning {@link SaltedAuthenticationInfo SaltedAuthenticationInfo}
instances as soon as possible</b>.<p/>
This is because salts should always be obtained from the stored account information and
never be interpreted based on user/Subject-entered data. User-entered data is easier to compromise for
attackers, whereas account-unique (and secure randomly-generated) salts never disseminated to the end-user
are almost impossible to break. This method will be removed in Shiro 2.0.
Returns a salt value used to hash the token's credentials. <p/> This default implementation merely returns {@code token.getPrincipal()}, effectively using the user's identity (username, user id, etc) as the salt, a most common technique. If you wish to provide the authentication token's salt another way, you may override this method.
@param token the AuthenticationToken submitted during the authentication attempt. @return a salt value to use to hash the authentication token's credentials. deprecated("") since Shiro 1.1. Hash salting is now expected to be based on if the {@link AuthenticationInfo} returned from the {@code Realm} is a {@link SaltedAuthenticationInfo} instance and its {@link hunt.shiro.authc.SaltedAuthenticationInfo#getCredentialsSalt() getCredentialsSalt()} method returns a non-null value. This method and the 1.0 behavior still exists for backwards compatibility if the {@code Realm} does not return {@code SaltedAuthenticationInfo} instances, but <b>it is highly recommended that {@code Realm} implementations that support hashed credentials start returning {@link SaltedAuthenticationInfo SaltedAuthenticationInfo} instances as soon as possible</b>.<p/> This is because salts should always be obtained from the stored account information and never be interpreted based on user/Subject-entered data. User-entered data is easier to compromise for attackers, whereas account-unique (and secure randomly-generated) salts never disseminated to the end-user are almost impossible to break. This method will be removed in Shiro 2.0.