Package org.springframework.security.crypto.password

Class Pbkdf2PasswordEncoder

java.lang.Object

org.springframework.security.crypto.password.AbstractValidatingPasswordEncoder

org.springframework.security.crypto.password.Pbkdf2PasswordEncoder

All Implemented Interfaces:

PasswordEncoder

public class Pbkdf2PasswordEncoder
extends AbstractValidatingPasswordEncoder

A PasswordEncoder implementation that uses PBKDF2 with :

• a configurable random salt value length (default is 16 bytes)
• a configurable number of iterations (default is 310000)
• a configurable key derivation function (see Pbkdf2PasswordEncoder.SecretKeyFactoryAlgorithm)
• a configurable secret appended to the random salt (default is empty)

The algorithm is invoked on the concatenated bytes of the salt, secret and password.

Since:

4.1

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static enum	Pbkdf2PasswordEncoder.SecretKeyFactoryAlgorithm	The Algorithm used for creating the SecretKeyFactory

Constructor Summary

Constructors

Constructor	Description
Pbkdf2PasswordEncoder(CharSequence secret, int saltLength, int iterations, int hashWidth)	Deprecated. Use Pbkdf2PasswordEncoder(CharSequence, int, int, SecretKeyFactoryAlgorithm) instead
Pbkdf2PasswordEncoder(CharSequence secret, int saltLength, int iterations, Pbkdf2PasswordEncoder.SecretKeyFactoryAlgorithm secretKeyFactoryAlgorithm)	Constructs a PBKDF2 password encoder with a secret value as well as salt length, iterations and algorithm.

Method Summary

Modifier and Type	Method	Description
static Pbkdf2PasswordEncoder	defaultsForSpringSecurity_v5_5()	Deprecated. Use defaultsForSpringSecurity_v5_8() instead
static Pbkdf2PasswordEncoder	defaultsForSpringSecurity_v5_8()	Constructs a PBKDF2 password encoder with no additional secret value.
protected String	encodeNonNullPassword(String rawPassword)
protected boolean	matchesNonNull(String rawPassword, String encodedPassword)
void	setAlgorithm(Pbkdf2PasswordEncoder.SecretKeyFactoryAlgorithm secretKeyFactoryAlgorithm)	Sets the algorithm to use.
void	setEncodeHashAsBase64(boolean encodeHashAsBase64)	Sets if the resulting hash should be encoded as Base64.

Methods inherited from class org.springframework.security.crypto.password.AbstractValidatingPasswordEncoder

encode, matches, upgradeEncoding, upgradeEncodingNonNull

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

Pbkdf2PasswordEncoder

@Deprecated
public Pbkdf2PasswordEncoder(CharSequence secret,
 int saltLength,
 int iterations,
 int hashWidth)

Deprecated.

Use Pbkdf2PasswordEncoder(CharSequence, int, int, SecretKeyFactoryAlgorithm) instead

Constructs a PBKDF2 password encoder with a secret value as well as salt length, iterations and hash width.

Parameters:

secret - the secret

saltLength - the salt length (in bytes)

iterations - the number of iterations. Users should aim for taking about .5 seconds on their own system.

hashWidth - the size of the hash (in bits)

Since:

5.5

Pbkdf2PasswordEncoder

public Pbkdf2PasswordEncoder(CharSequence secret,
 int saltLength,
 int iterations,
 Pbkdf2PasswordEncoder.SecretKeyFactoryAlgorithm secretKeyFactoryAlgorithm)

Constructs a PBKDF2 password encoder with a secret value as well as salt length, iterations and algorithm.

Parameters:

secret - the secret

saltLength - the salt length (in bytes)

iterations - the number of iterations. Users should aim for taking about .5 seconds on their own system.

secretKeyFactoryAlgorithm - the algorithm to use

Since:

5.8

Method Details

defaultsForSpringSecurity_v5_5

@Deprecated
public static Pbkdf2PasswordEncoder defaultsForSpringSecurity_v5_5()

Deprecated.

Use defaultsForSpringSecurity_v5_8() instead

Constructs a PBKDF2 password encoder with no additional secret value. There will be a salt length of 8 bytes, 185,000 iterations, SHA-1 algorithm and a hash length of 256 bits. The default is based upon aiming for .5 seconds to validate the password when this class was added. Users should tune password verification to their own systems.

Returns:

the Pbkdf2PasswordEncoder

Since:

5.8

defaultsForSpringSecurity_v5_8

public static Pbkdf2PasswordEncoder defaultsForSpringSecurity_v5_8()

Constructs a PBKDF2 password encoder with no additional secret value. There will be a salt length of 16 bytes, 310,000 iterations, SHA-256 algorithm and a hash length of 256 bits. The default is based upon aiming for .5 seconds to validate the password when this class was added. Users should tune password verification to their own systems.

Returns:

the Pbkdf2PasswordEncoder

Since:

5.8

setAlgorithm

public void setAlgorithm(Pbkdf2PasswordEncoder.SecretKeyFactoryAlgorithm secretKeyFactoryAlgorithm)

Sets the algorithm to use. See SecretKeyFactory Algorithms

Parameters:

secretKeyFactoryAlgorithm - the algorithm to use (i.e. SecretKeyFactoryAlgorithm.PBKDF2WithHmacSHA1, SecretKeyFactoryAlgorithm.PBKDF2WithHmacSHA256, SecretKeyFactoryAlgorithm.PBKDF2WithHmacSHA512)

Since:

5.0

setEncodeHashAsBase64

public void setEncodeHashAsBase64(boolean encodeHashAsBase64)

Sets if the resulting hash should be encoded as Base64. The default is false which means it will be encoded in Hex.

Parameters:

encodeHashAsBase64 - true if encode as Base64, false if should use Hex (default)

encodeNonNullPassword

protected String encodeNonNullPassword(String rawPassword)

Specified by:

encodeNonNullPassword in class AbstractValidatingPasswordEncoder

matchesNonNull

protected boolean matchesNonNull(String rawPassword,
 String encodedPassword)

Specified by:

matchesNonNull in class AbstractValidatingPasswordEncoder