Class Pbkdf2PasswordEncoder
- java.lang.Object
-
- org.springframework.security.crypto.password.Pbkdf2PasswordEncoder
-
- All Implemented Interfaces:
PasswordEncoder
public class Pbkdf2PasswordEncoder extends java.lang.Object implements PasswordEncoder
APasswordEncoder
implementation that uses PBKDF2 with :- a configurable random salt value length (default is 16 bytes)
- a configurable number of iterations (default is 310000)
- a configurable key derivation function (see
Pbkdf2PasswordEncoder.SecretKeyFactoryAlgorithm
) - a configurable secret appended to the random salt (default is empty)
- Since:
- 4.1
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
Pbkdf2PasswordEncoder.SecretKeyFactoryAlgorithm
The Algorithm used for creating theSecretKeyFactory
-
Constructor Summary
Constructors Constructor Description Pbkdf2PasswordEncoder()
Deprecated.UsedefaultsForSpringSecurity_v5_5()
insteadPbkdf2PasswordEncoder(java.lang.CharSequence secret)
Deprecated.Pbkdf2PasswordEncoder(java.lang.CharSequence secret, int saltLength)
Deprecated.Pbkdf2PasswordEncoder(java.lang.CharSequence secret, int iterations, int hashWidth)
Deprecated.Pbkdf2PasswordEncoder(java.lang.CharSequence secret, int saltLength, int iterations, int hashWidth)
Deprecated.Pbkdf2PasswordEncoder(java.lang.CharSequence secret, int saltLength, int iterations, Pbkdf2PasswordEncoder.SecretKeyFactoryAlgorithm secretKeyFactoryAlgorithm)
Constructs a PBKDF2 password encoder with a secret value as well as salt length, iterations and algorithm.
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description static Pbkdf2PasswordEncoder
defaultsForSpringSecurity_v5_5()
Deprecated.UsedefaultsForSpringSecurity_v5_8()
insteadstatic Pbkdf2PasswordEncoder
defaultsForSpringSecurity_v5_8()
Constructs a PBKDF2 password encoder with no additional secret value.java.lang.String
encode(java.lang.CharSequence rawPassword)
Encode the raw password.boolean
matches(java.lang.CharSequence rawPassword, java.lang.String encodedPassword)
Verify the encoded password obtained from storage matches the submitted raw password after it too is encoded.void
setAlgorithm(Pbkdf2PasswordEncoder.SecretKeyFactoryAlgorithm secretKeyFactoryAlgorithm)
Sets the algorithm to use.void
setEncodeHashAsBase64(boolean encodeHashAsBase64)
Sets if the resulting hash should be encoded as Base64.-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.springframework.security.crypto.password.PasswordEncoder
upgradeEncoding
-
-
-
-
Constructor Detail
-
Pbkdf2PasswordEncoder
@Deprecated public Pbkdf2PasswordEncoder()
Deprecated.UsedefaultsForSpringSecurity_v5_5()
insteadConstructs a PBKDF2 password encoder with no additional secret value. There will be a salt length of 8 bytes, 185,000 iterations, SHA-1 algorithm and a hash length of 256 bits. The default is based upon aiming for .5 seconds to validate the password when this class was added. Users should tune password verification to their own systems.
-
Pbkdf2PasswordEncoder
@Deprecated public Pbkdf2PasswordEncoder(java.lang.CharSequence secret)
Deprecated.Constructs a PBKDF2 password encoder with a secret value which is also included in the password hash. There will be a salt length of 8 bytes, 185,000 iterations, SHA-1 algorithm and a hash length of 256 bits.- Parameters:
secret
- the secret key used in the encoding process (should not be shared)
-
Pbkdf2PasswordEncoder
@Deprecated public Pbkdf2PasswordEncoder(java.lang.CharSequence secret, int saltLength)
Deprecated.Constructs a PBKDF2 password encoder with a secret value as well as salt length. There will be 185,000 iterations, SHA-1 algorithm and a hash length of 256 bits.- Parameters:
secret
- the secretsaltLength
- the salt length (in bytes)- Since:
- 5.5
-
Pbkdf2PasswordEncoder
@Deprecated public Pbkdf2PasswordEncoder(java.lang.CharSequence secret, int iterations, int hashWidth)
Deprecated.Constructs a PBKDF2 password encoder with a secret value as well as iterations and hash width. The salt length will be 8 bytes.- Parameters:
secret
- the secretiterations
- the number of iterations. Users should aim for taking about .5 seconds on their own system.hashWidth
- the size of the hash (in bits)
-
Pbkdf2PasswordEncoder
@Deprecated public Pbkdf2PasswordEncoder(java.lang.CharSequence secret, int saltLength, int iterations, int hashWidth)
Deprecated.Constructs a PBKDF2 password encoder with a secret value as well as salt length, iterations and hash width.- Parameters:
secret
- the secretsaltLength
- the salt length (in bytes)iterations
- the number of iterations. Users should aim for taking about .5 seconds on their own system.hashWidth
- the size of the hash (in bits)- Since:
- 5.5
-
Pbkdf2PasswordEncoder
public Pbkdf2PasswordEncoder(java.lang.CharSequence secret, int saltLength, int iterations, Pbkdf2PasswordEncoder.SecretKeyFactoryAlgorithm secretKeyFactoryAlgorithm)
Constructs a PBKDF2 password encoder with a secret value as well as salt length, iterations and algorithm.- Parameters:
secret
- the secretsaltLength
- the salt length (in bytes)iterations
- the number of iterations. Users should aim for taking about .5 seconds on their own system.secretKeyFactoryAlgorithm
- the algorithm to use- Since:
- 5.8
-
-
Method Detail
-
defaultsForSpringSecurity_v5_5
@Deprecated public static Pbkdf2PasswordEncoder defaultsForSpringSecurity_v5_5()
Deprecated.UsedefaultsForSpringSecurity_v5_8()
insteadConstructs a PBKDF2 password encoder with no additional secret value. There will be a salt length of 8 bytes, 185,000 iterations, SHA-1 algorithm and a hash length of 256 bits. The default is based upon aiming for .5 seconds to validate the password when this class was added. Users should tune password verification to their own systems.- Returns:
- the
Pbkdf2PasswordEncoder
- Since:
- 5.8
-
defaultsForSpringSecurity_v5_8
public static Pbkdf2PasswordEncoder defaultsForSpringSecurity_v5_8()
Constructs a PBKDF2 password encoder with no additional secret value. There will be a salt length of 16 bytes, 310,000 iterations, SHA-256 algorithm and a hash length of 256 bits. The default is based upon aiming for .5 seconds to validate the password when this class was added. Users should tune password verification to their own systems.- Returns:
- the
Pbkdf2PasswordEncoder
- Since:
- 5.8
-
setAlgorithm
public void setAlgorithm(Pbkdf2PasswordEncoder.SecretKeyFactoryAlgorithm secretKeyFactoryAlgorithm)
Sets the algorithm to use. See SecretKeyFactory Algorithms- Parameters:
secretKeyFactoryAlgorithm
- the algorithm to use (i.e.SecretKeyFactoryAlgorithm.PBKDF2WithHmacSHA1
,SecretKeyFactoryAlgorithm.PBKDF2WithHmacSHA256
,SecretKeyFactoryAlgorithm.PBKDF2WithHmacSHA512
)- Since:
- 5.0
-
setEncodeHashAsBase64
public void setEncodeHashAsBase64(boolean encodeHashAsBase64)
Sets if the resulting hash should be encoded as Base64. The default is false which means it will be encoded in Hex.- Parameters:
encodeHashAsBase64
- true if encode as Base64, false if should use Hex (default)
-
encode
public java.lang.String encode(java.lang.CharSequence rawPassword)
Description copied from interface:PasswordEncoder
Encode the raw password. Generally, a good encoding algorithm applies a SHA-1 or greater hash combined with an 8-byte or greater randomly generated salt.- Specified by:
encode
in interfacePasswordEncoder
-
matches
public boolean matches(java.lang.CharSequence rawPassword, java.lang.String encodedPassword)
Description copied from interface:PasswordEncoder
Verify the encoded password obtained from storage matches the submitted raw password after it too is encoded. Returns true if the passwords match, false if they do not. The stored password itself is never decoded.- Specified by:
matches
in interfacePasswordEncoder
- Parameters:
rawPassword
- the raw password to encode and matchencodedPassword
- the encoded password from storage to compare with- Returns:
- true if the raw password, after encoding, matches the encoded password from storage
-
-