Package org.springframework.security.crypto.password

Class Pbkdf2PasswordEncoder

  • All Implemented Interfaces:
    PasswordEncoder
    public class Pbkdf2PasswordEncoder
extends java.lang.Object
implements PasswordEncoder
    A PasswordEncoder implementation that uses PBKDF2 with :
    • a configurable random salt value length (default is 16 bytes)
    • a configurable number of iterations (default is 310000)
    • a configurable key derivation function (see Pbkdf2PasswordEncoder.SecretKeyFactoryAlgorithm)
    • a configurable secret appended to the random salt (default is empty)
    The algorithm is invoked on the concatenated bytes of the salt, secret and password.
    Since:
    4.1

    • Constructor Detail

      • Pbkdf2PasswordEncoder

        @Deprecated
public Pbkdf2PasswordEncoder()
        Deprecated.
        Use defaultsForSpringSecurity_v5_5() instead
        Constructs a PBKDF2 password encoder with no additional secret value. There will be a salt length of 8 bytes, 185,000 iterations, SHA-1 algorithm and a hash length of 256 bits. The default is based upon aiming for .5 seconds to validate the password when this class was added. Users should tune password verification to their own systems.

      • Pbkdf2PasswordEncoder

        @Deprecated
public Pbkdf2PasswordEncoder​(java.lang.CharSequence secret)
        Deprecated.
        Use Pbkdf2PasswordEncoder(CharSequence, int, int, int) instead
        Constructs a PBKDF2 password encoder with a secret value which is also included in the password hash. There will be a salt length of 8 bytes, 185,000 iterations, SHA-1 algorithm and a hash length of 256 bits.
        Parameters:
        secret - the secret key used in the encoding process (should not be shared)

      • Pbkdf2PasswordEncoder

        @Deprecated
public Pbkdf2PasswordEncoder​(java.lang.CharSequence secret,
                             int saltLength)
        Deprecated.
        Use Pbkdf2PasswordEncoder(CharSequence, int, int, int) instead
        Constructs a PBKDF2 password encoder with a secret value as well as salt length. There will be 185,000 iterations, SHA-1 algorithm and a hash length of 256 bits.
        Parameters:
        secret - the secret
        saltLength - the salt length (in bytes)
        Since:
        5.5

      • Pbkdf2PasswordEncoder

        @Deprecated
public Pbkdf2PasswordEncoder​(java.lang.CharSequence secret,
                             int iterations,
                             int hashWidth)
        Deprecated.
        Use Pbkdf2PasswordEncoder(CharSequence, int, int, int) instead
        Constructs a PBKDF2 password encoder with a secret value as well as iterations and hash width. The salt length will be 8 bytes.
        Parameters:
        secret - the secret
        iterations - the number of iterations. Users should aim for taking about .5 seconds on their own system.
        hashWidth - the size of the hash (in bits)

      • Pbkdf2PasswordEncoder

        @Deprecated
public Pbkdf2PasswordEncoder​(java.lang.CharSequence secret,
                             int saltLength,
                             int iterations,
                             int hashWidth)
        Deprecated.
        Use Pbkdf2PasswordEncoder(CharSequence, int, int, SecretKeyFactoryAlgorithm) instead
        Constructs a PBKDF2 password encoder with a secret value as well as salt length, iterations and hash width.
        Parameters:
        secret - the secret
        saltLength - the salt length (in bytes)
        iterations - the number of iterations. Users should aim for taking about .5 seconds on their own system.
        hashWidth - the size of the hash (in bits)
        Since:
        5.5

      • Pbkdf2PasswordEncoder

        public Pbkdf2PasswordEncoder​(java.lang.CharSequence secret,
                             int saltLength,
                             int iterations,
                             Pbkdf2PasswordEncoder.SecretKeyFactoryAlgorithm secretKeyFactoryAlgorithm)
        Constructs a PBKDF2 password encoder with a secret value as well as salt length, iterations and algorithm.
        Parameters:
        secret - the secret
        saltLength - the salt length (in bytes)
        iterations - the number of iterations. Users should aim for taking about .5 seconds on their own system.
        secretKeyFactoryAlgorithm - the algorithm to use
        Since:
        5.8

    • Method Detail

      • defaultsForSpringSecurity_v5_5

        @Deprecated
public static Pbkdf2PasswordEncoder defaultsForSpringSecurity_v5_5()
        Deprecated.
        Use defaultsForSpringSecurity_v5_8() instead
        Constructs a PBKDF2 password encoder with no additional secret value. There will be a salt length of 8 bytes, 185,000 iterations, SHA-1 algorithm and a hash length of 256 bits. The default is based upon aiming for .5 seconds to validate the password when this class was added. Users should tune password verification to their own systems.
        Returns:
        the Pbkdf2PasswordEncoder
        Since:
        5.8

      • defaultsForSpringSecurity_v5_8

        public static Pbkdf2PasswordEncoder defaultsForSpringSecurity_v5_8()
        Constructs a PBKDF2 password encoder with no additional secret value. There will be a salt length of 16 bytes, 310,000 iterations, SHA-256 algorithm and a hash length of 256 bits. The default is based upon aiming for .5 seconds to validate the password when this class was added. Users should tune password verification to their own systems.
        Returns:
        the Pbkdf2PasswordEncoder
        Since:
        5.8

      • setAlgorithm

        public void setAlgorithm​(Pbkdf2PasswordEncoder.SecretKeyFactoryAlgorithm secretKeyFactoryAlgorithm)
        Sets the algorithm to use. See SecretKeyFactory Algorithms
        Parameters:
        secretKeyFactoryAlgorithm - the algorithm to use (i.e. SecretKeyFactoryAlgorithm.PBKDF2WithHmacSHA1, SecretKeyFactoryAlgorithm.PBKDF2WithHmacSHA256, SecretKeyFactoryAlgorithm.PBKDF2WithHmacSHA512)
        Since:
        5.0

      • setEncodeHashAsBase64

        public void setEncodeHashAsBase64​(boolean encodeHashAsBase64)
        Sets if the resulting hash should be encoded as Base64. The default is false which means it will be encoded in Hex.
        Parameters:
        encodeHashAsBase64 - true if encode as Base64, false if should use Hex (default)

      • encode

        public java.lang.String encode​(java.lang.CharSequence rawPassword)
        Description copied from interface: PasswordEncoder
        Encode the raw password. Generally, a good encoding algorithm applies a SHA-1 or greater hash combined with an 8-byte or greater randomly generated salt.
        Specified by:
        encode in interface PasswordEncoder

      • matches

        public boolean matches​(java.lang.CharSequence rawPassword,
                       java.lang.String encodedPassword)
        Description copied from interface: PasswordEncoder
        Verify the encoded password obtained from storage matches the submitted raw password after it too is encoded. Returns true if the passwords match, false if they do not. The stored password itself is never decoded.
        Specified by:
        matches in interface PasswordEncoder
        Parameters:
        rawPassword - the raw password to encode and match
        encodedPassword - the encoded password from storage to compare with
        Returns:
        true if the raw password, after encoding, matches the encoded password from storage