Hello,
Ch. 8, p. 287 states:
? hashAlgorithm: The name of the java.security.MessageDigest algorithm to use to hash the password.
There is no default so this option must be specified to enable hashing. When hashAlgorithm is specified, the
clear text password obtained from the callbackhandler is hashed before it is passed to UsernamePasswordLoginModule.
validatePassword as the inputPassword argument. The expectedPassword as obtained from the database must be comparably hashed.
1. depends on the security providers installed in the jdk.
2. other than ignoring case what is there to change in the comparision?