Class Argon2PasswordEncoder
java.lang.Object
org.springframework.security.crypto.argon2.Argon2PasswordEncoder
- All Implemented Interfaces:
PasswordEncoder
Implementation of PasswordEncoder that uses the Argon2 hashing function. Clients can optionally supply the length of the salt to use, the length of the generated hash, a cpu cost parameter, a memory cost parameter and a parallelization parameter.
Note:
The currently implementation uses Bouncy castle which does not exploit parallelism/optimizations that password crackers will, so there is an unnecessary asymmetry between attacker and defender.
- Since:
- 5.3
-
Constructor Summary
ConstructorDescriptionArgon2PasswordEncoder
(int saltLength, int hashLength, int parallelism, int memory, int iterations) -
Method Summary
Modifier and TypeMethodDescriptionencode
(CharSequence rawPassword) Encode the raw password.boolean
matches
(CharSequence rawPassword, String encodedPassword) Verify the encoded password obtained from storage matches the submitted raw password after it too is encoded.boolean
upgradeEncoding
(String encodedPassword) Returns true if the encoded password should be encoded again for better security, else false.
-
Constructor Details
-
Argon2PasswordEncoder
public Argon2PasswordEncoder() -
Argon2PasswordEncoder
public Argon2PasswordEncoder(int saltLength, int hashLength, int parallelism, int memory, int iterations)
-
-
Method Details
-
encode
Description copied from interface:PasswordEncoder
Encode the raw password. Generally, a good encoding algorithm applies a SHA-1 or greater hash combined with an 8-byte or greater randomly generated salt.- Specified by:
encode
in interfacePasswordEncoder
-
matches
Description copied from interface:PasswordEncoder
Verify the encoded password obtained from storage matches the submitted raw password after it too is encoded. Returns true if the passwords match, false if they do not. The stored password itself is never decoded.- Specified by:
matches
in interfacePasswordEncoder
- Parameters:
rawPassword
- the raw password to encode and matchencodedPassword
- the encoded password from storage to compare with- Returns:
- true if the raw password, after encoding, matches the encoded password from storage
-
upgradeEncoding
Description copied from interface:PasswordEncoder
Returns true if the encoded password should be encoded again for better security, else false. The default implementation always returns false.- Specified by:
upgradeEncoding
in interfacePasswordEncoder
- Parameters:
encodedPassword
- the encoded password to check- Returns:
- true if the encoded password should be encoded again for better security, else false.
-