org.springframework.security.crypto.argon2

Class Argon2PasswordEncoder

java.lang.Object

org.springframework.security.crypto.argon2.Argon2PasswordEncoder

All Implemented Interfaces:

PasswordEncoder

public class Argon2PasswordEncoder
extends java.lang.Object
implements PasswordEncoder

Implementation of PasswordEncoder that uses the Argon2 hashing function. Clients can optionally supply the length of the salt to use, the length of the generated hash, a cpu cost parameter, a memory cost parameter and a parallelization parameter.

Note:

The currently implementation uses Bouncy castle which does not exploit parallelism/optimizations that password crackers will, so there is an unnecessary asymmetry between attacker and defender.

Since:

5.3

Constructor Summary

Constructors

Constructor and Description
Argon2PasswordEncoder()
Argon2PasswordEncoder(int saltLength, int hashLength, int parallelism, int memory, int iterations)

Method Summary

Modifier and Type	Method and Description
java.lang.String	encode(java.lang.CharSequence rawPassword) Encode the raw password.
boolean	matches(java.lang.CharSequence rawPassword, java.lang.String encodedPassword) Verify the encoded password obtained from storage matches the submitted raw password after it too is encoded.
boolean	upgradeEncoding(java.lang.String encodedPassword) Returns true if the encoded password should be encoded again for better security, else false.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

Argon2PasswordEncoder

public Argon2PasswordEncoder(int saltLength,
                             int hashLength,
                             int parallelism,
                             int memory,
                             int iterations)

Argon2PasswordEncoder

public Argon2PasswordEncoder()

Method Detail

encode

public java.lang.String encode(java.lang.CharSequence rawPassword)

Description copied from interface: PasswordEncoder

Encode the raw password. Generally, a good encoding algorithm applies a SHA-1 or greater hash combined with an 8-byte or greater randomly generated salt.

Specified by:

encode in interface PasswordEncoder

matches

public boolean matches(java.lang.CharSequence rawPassword,
                       java.lang.String encodedPassword)

Description copied from interface: PasswordEncoder

Verify the encoded password obtained from storage matches the submitted raw password after it too is encoded. Returns true if the passwords match, false if they do not. The stored password itself is never decoded.

Specified by:

matches in interface PasswordEncoder

Parameters:

rawPassword - the raw password to encode and match

encodedPassword - the encoded password from storage to compare with

Returns:

true if the raw password, after encoding, matches the encoded password from storage

upgradeEncoding

public boolean upgradeEncoding(java.lang.String encodedPassword)

Description copied from interface: PasswordEncoder

Returns true if the encoded password should be encoded again for better security, else false. The default implementation always returns false.

Specified by:

upgradeEncoding in interface PasswordEncoder

Parameters:

encodedPassword - the encoded password to check

Returns:

true if the encoded password should be encoded again for better security, else false.