Package org.springframework.security.crypto.password

Class MessageDigestPasswordEncoder

  • All Implemented Interfaces:
    PasswordEncoder
    @Deprecated
public class MessageDigestPasswordEncoder
extends java.lang.Object
implements PasswordEncoder
    Deprecated.
    Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.
    This PasswordEncoder is provided for legacy purposes only and is not considered secure. Encodes passwords using the passed in MessageDigest. The general format of the password is: 
     s = salt == null ? "" : "{" + salt + "}"
 s + digest(password + s)
    Such that "salt" is the salt, digest is the digest method, and password is the actual password. For example when using MD5, a password of "password", and a salt of "thisissalt": 
     String s = salt == null ? "" : "{" + salt + "}";
 s + md5(password + s)
 "{thisissalt}" + md5(password + "{thisissalt}")
 "{thisissalt}2a4e7104c2780098f50ed5a84bb2323d"
    If the salt does not exist, then omit "{salt}" like this: 
     digest(password)
    If the salt is an empty String, then only use "{}" like this: 
     "{}" + digest(password + "{}")
    The format is intended to work with the DigestPasswordEncoder that was found in the Spring Security core module. However, the passwords will need to be migrated to include any salt with the password since this API provides Salt internally vs making it the responsibility of the user. To migrate passwords from the SaltSource use the following: 
     String salt = saltSource.getSalt(user);
 String s = salt == null ? null : "{" + salt + "}";
 String migratedPassword = s + user.getPassword();
    Since:
    5.0

    • Method Summary

      All Methods Instance Methods Concrete Methods Deprecated Methods 
      Modifier and Type Method Description
      java.lang.String encode​(java.lang.CharSequence rawPassword)
      Deprecated.
      Encodes the rawPass using a MessageDigest.
      boolean matches​(java.lang.CharSequence rawPassword, java.lang.String encodedPassword)
      Deprecated.
      Takes a previously encoded password and compares it with a rawpassword after mixing in the salt and encoding that value
      void setEncodeHashAsBase64​(boolean encodeHashAsBase64)
      Deprecated.
       
      void setIterations​(int iterations)
      Deprecated.
      Sets the number of iterations for which the calculated hash value should be "stretched".

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Constructor Detail

      • MessageDigestPasswordEncoder

        public MessageDigestPasswordEncoder​(java.lang.String algorithm)
        Deprecated.
        The digest algorithm to use Supports the named Message Digest Algorithms in the Java environment.
        Parameters:
        algorithm -

    • Method Detail

      • setEncodeHashAsBase64

        public void setEncodeHashAsBase64​(boolean encodeHashAsBase64)
        Deprecated.

      • encode

        public java.lang.String encode​(java.lang.CharSequence rawPassword)
        Deprecated.
        Encodes the rawPass using a MessageDigest. If a salt is specified it will be merged with the password before encoding.
        Specified by:
        encode in interface PasswordEncoder
        Parameters:
        rawPassword - The plain text password
        Returns:
        Hex string of password digest (or base64 encoded string if encodeHashAsBase64 is enabled.

      • matches

        public boolean matches​(java.lang.CharSequence rawPassword,
                       java.lang.String encodedPassword)
        Deprecated.
        Takes a previously encoded password and compares it with a rawpassword after mixing in the salt and encoding that value
        Specified by:
        matches in interface PasswordEncoder
        Parameters:
        rawPassword - plain text password
        encodedPassword - previously encoded password
        Returns:
        true or false

      • setIterations

        public void setIterations​(int iterations)
        Deprecated.
        Sets the number of iterations for which the calculated hash value should be "stretched". If this is greater than one, the initial digest is calculated, the digest function will be called repeatedly on the result for the additional number of iterations.
        Parameters:
        iterations - the number of iterations which will be executed on the hashed password/salt value. Defaults to 1.