Rudy De Busscher
Copied some parts out of the other thread as it becomes too unreadable.
The parameters are required. if the PasswordHash interface doesn't have methods with the parameters passed along, there is no implementation ever that can use them!
I would also consider removing SHA1. Just as MD5, it is no longer considered as really safe.
But it needs to be useable. Otherwise, it is better to deliver nothing than something which isn't working properly and usable!
If the perception of Java EE security API is not good during the first months, it will never be used by anyone, even if we come up with a better version later on.
Sorry to be this hard, but that is the truth.
A small detail about the code, I would make it more Java 8 alike ( with diamond operator, foreach method, ....)
If you like, I can make a PR for that.