Class Pbkdf2PasswordEncoder

  • All Implemented Interfaces:
    PasswordEncoder

    public class Pbkdf2PasswordEncoder
    extends java.lang.Object
    implements PasswordEncoder
    A PasswordEncoder implementation that uses PBKDF2 with :
    • a configurable random salt value length (default is 8 bytes)
    • a configurable number of iterations (default is 185000)
    • a configurable output hash width (default is 256 bits)
    • a configurable key derivation function (see Pbkdf2PasswordEncoder.SecretKeyFactoryAlgorithm)
    • a configurable secret appended to the random salt (default is empty)
    The algorithm is invoked on the concatenated bytes of the salt, secret and password.
    Since:
    4.1
    • Constructor Summary

      Constructors 
      Constructor Description
      Pbkdf2PasswordEncoder()
      Constructs a PBKDF2 password encoder with no additional secret value.
      Pbkdf2PasswordEncoder​(java.lang.CharSequence secret)
      Constructs a standard password encoder with a secret value which is also included in the password hash.
      Pbkdf2PasswordEncoder​(java.lang.CharSequence secret, int saltLength)
      Constructs a standard password encoder with a secret value as well as salt length.
      Pbkdf2PasswordEncoder​(java.lang.CharSequence secret, int iterations, int hashWidth)
      Constructs a standard password encoder with a secret value as well as iterations and hash width.
      Pbkdf2PasswordEncoder​(java.lang.CharSequence secret, int saltLength, int iterations, int hashWidth)
      Constructs a standard password encoder with a secret value as well as salt length, iterations and hash width.
    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      java.lang.String encode​(java.lang.CharSequence rawPassword)
      Encode the raw password.
      boolean matches​(java.lang.CharSequence rawPassword, java.lang.String encodedPassword)
      Verify the encoded password obtained from storage matches the submitted raw password after it too is encoded.
      void setAlgorithm​(Pbkdf2PasswordEncoder.SecretKeyFactoryAlgorithm secretKeyFactoryAlgorithm)
      Sets the algorithm to use.
      void setEncodeHashAsBase64​(boolean encodeHashAsBase64)
      Sets if the resulting hash should be encoded as Base64.
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Constructor Detail

      • Pbkdf2PasswordEncoder

        public Pbkdf2PasswordEncoder()
        Constructs a PBKDF2 password encoder with no additional secret value. There will be a salt length of 8 bytes, 185000 iterations and a hash width of 256 bits. The default is based upon aiming for .5 seconds to validate the password when this class was added. Users should tune password verification to their own systems.
      • Pbkdf2PasswordEncoder

        public Pbkdf2PasswordEncoder​(java.lang.CharSequence secret)
        Constructs a standard password encoder with a secret value which is also included in the password hash. There will be a salt length of 8 bytes, 185000 iterations and a hash width of 256 bits.
        Parameters:
        secret - the secret key used in the encoding process (should not be shared)
      • Pbkdf2PasswordEncoder

        public Pbkdf2PasswordEncoder​(java.lang.CharSequence secret,
                                     int saltLength)
        Constructs a standard password encoder with a secret value as well as salt length. There will be 185000 iterations and a hash width of 256 bits.
        Parameters:
        secret - the secret
        saltLength - the salt length (in bytes)
        Since:
        5.5
      • Pbkdf2PasswordEncoder

        public Pbkdf2PasswordEncoder​(java.lang.CharSequence secret,
                                     int iterations,
                                     int hashWidth)
        Constructs a standard password encoder with a secret value as well as iterations and hash width. The salt length will be of 8 bytes.
        Parameters:
        secret - the secret
        iterations - the number of iterations. Users should aim for taking about .5 seconds on their own system.
        hashWidth - the size of the hash (in bits)
      • Pbkdf2PasswordEncoder

        public Pbkdf2PasswordEncoder​(java.lang.CharSequence secret,
                                     int saltLength,
                                     int iterations,
                                     int hashWidth)
        Constructs a standard password encoder with a secret value as well as salt length, iterations and hash width.
        Parameters:
        secret - the secret
        saltLength - the salt length (in bytes)
        iterations - the number of iterations. Users should aim for taking about .5 seconds on their own system.
        hashWidth - the size of the hash (in bits)
        Since:
        5.5
    • Method Detail

      • setAlgorithm

        public void setAlgorithm​(Pbkdf2PasswordEncoder.SecretKeyFactoryAlgorithm secretKeyFactoryAlgorithm)
        Sets the algorithm to use. See SecretKeyFactory Algorithms
        Parameters:
        secretKeyFactoryAlgorithm - the algorithm to use (i.e. SecretKeyFactoryAlgorithm.PBKDF2WithHmacSHA1, SecretKeyFactoryAlgorithm.PBKDF2WithHmacSHA256, SecretKeyFactoryAlgorithm.PBKDF2WithHmacSHA512)
        Since:
        5.0
      • setEncodeHashAsBase64

        public void setEncodeHashAsBase64​(boolean encodeHashAsBase64)
        Sets if the resulting hash should be encoded as Base64. The default is false which means it will be encoded in Hex.
        Parameters:
        encodeHashAsBase64 - true if encode as Base64, false if should use Hex (default)
      • encode

        public java.lang.String encode​(java.lang.CharSequence rawPassword)
        Description copied from interface: PasswordEncoder
        Encode the raw password. Generally, a good encoding algorithm applies a SHA-1 or greater hash combined with an 8-byte or greater randomly generated salt.
        Specified by:
        encode in interface PasswordEncoder
      • matches

        public boolean matches​(java.lang.CharSequence rawPassword,
                               java.lang.String encodedPassword)
        Description copied from interface: PasswordEncoder
        Verify the encoded password obtained from storage matches the submitted raw password after it too is encoded. Returns true if the passwords match, false if they do not. The stored password itself is never decoded.
        Specified by:
        matches in interface PasswordEncoder
        Parameters:
        rawPassword - the raw password to encode and match
        encodedPassword - the encoded password from storage to compare with
        Returns:
        true if the raw password, after encoding, matches the encoded password from storage