Package org.springframework.security.crypto.password

Class Md4PasswordEncoder

java.lang.Object

org.springframework.security.crypto.password.Md4PasswordEncoder

All Implemented Interfaces:

PasswordEncoder

@Deprecated
public class Md4PasswordEncoder
extends Object
implements PasswordEncoder

Deprecated.

Digest based password encoding is not considered secure. Instead use an adaptive one way function like BCryptPasswordEncoder, Pbkdf2PasswordEncoder, or SCryptPasswordEncoder. Even better use DelegatingPasswordEncoder which supports password upgrades. There are no plans to remove this support. It is deprecated to indicate that this is a legacy implementation and using it is considered insecure.

This PasswordEncoder is provided for legacy purposes only and is not considered secure. Encodes passwords using MD4. The general format of the password is:

 s = salt == null ? "" : "{" + salt + "}"
 s + md4(password + s)
 

Such that "salt" is the salt, md4 is the digest method, and password is the actual password. For example with a password of "password", and a salt of "thisissalt":

 String s = salt == null ? "" : "{" + salt + "}";
 s + md4(password + s)
 "{thisissalt}" + md4(password + "{thisissalt}")
 "{thisissalt}6cc7924dad12ade79dfb99e424f25260"
 

If the salt does not exist, then omit "{salt}" like this:

 md4(password)
 

If the salt is an empty String, then only use "{}" like this:

 "{}" + md4(password + "{}")
 

The format is intended to work with the Md4PasswordEncoder that was found in the Spring Security core module. However, the passwords will need to be migrated to include any salt with the password since this API provides Salt internally vs making it the responsibility of the user. To migrate passwords from the SaltSource use the following:

 String salt = saltSource.getSalt(user);
 String s = salt == null ? null : "{" + salt + "}";
 String migratedPassword = s + user.getPassword();
 

Since:

5.0

Constructor Summary

Constructors

Constructor	Description
Md4PasswordEncoder()	Deprecated.

Method Summary

Modifier and Type	Method	Description
String	encode(CharSequence rawPassword)	Deprecated. Encodes the rawPass using a MessageDigest.
boolean	matches(CharSequence rawPassword, String encodedPassword)	Deprecated. Takes a previously encoded password and compares it with a rawpassword after mixing in the salt and encoding that value
void	setEncodeHashAsBase64(boolean encodeHashAsBase64)	Deprecated.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.springframework.security.crypto.password.PasswordEncoder

upgradeEncoding

Constructor Details

Md4PasswordEncoder

public Md4PasswordEncoder()

Deprecated.

Method Details

setEncodeHashAsBase64

public void setEncodeHashAsBase64(boolean encodeHashAsBase64)

Deprecated.

encode

public String encode(CharSequence rawPassword)

Deprecated.

Encodes the rawPass using a MessageDigest. If a salt is specified it will be merged with the password before encoding.

Specified by:

encode in interface PasswordEncoder

Parameters:

rawPassword - The plain text password

Returns:

Hex string of password digest (or base64 encoded string if encodeHashAsBase64 is enabled.

matches

public boolean matches(CharSequence rawPassword,
 String encodedPassword)

Deprecated.

Takes a previously encoded password and compares it with a rawpassword after mixing in the salt and encoding that value

Specified by:

matches in interface PasswordEncoder

Parameters:

rawPassword - plain text password

encodedPassword - previously encoded password

Returns:

true or false