Package org.springframework.security.crypto.password

Class Pbkdf2PasswordEncoder

java.lang.Object
org.springframework.security.crypto.password.Pbkdf2PasswordEncoder
All Implemented Interfaces:
PasswordEncoder
public class Pbkdf2PasswordEncoder extends Object implements PasswordEncoder
A PasswordEncoder implementation that uses PBKDF2 with :
  • a configurable random salt value length (default is 16 bytes)
  • a configurable number of iterations (default is 310000)
  • a configurable key derivation function (see Pbkdf2PasswordEncoder.SecretKeyFactoryAlgorithm)
  • a configurable secret appended to the random salt (default is empty)
The algorithm is invoked on the concatenated bytes of the salt, secret and password.
Since:
4.1

  • Constructor Details

    • Pbkdf2PasswordEncoder

      @Deprecated public Pbkdf2PasswordEncoder(CharSequence secret, int saltLength, int iterations, int hashWidth)
      Deprecated.
      Use Pbkdf2PasswordEncoder(CharSequence, int, int, SecretKeyFactoryAlgorithm) instead
      Constructs a PBKDF2 password encoder with a secret value as well as salt length, iterations and hash width.
      Parameters:
      secret - the secret
      saltLength - the salt length (in bytes)
      iterations - the number of iterations. Users should aim for taking about .5 seconds on their own system.
      hashWidth - the size of the hash (in bits)
      Since:
      5.5

    • Pbkdf2PasswordEncoder

      public Pbkdf2PasswordEncoder(CharSequence secret, int saltLength, int iterations, Pbkdf2PasswordEncoder.SecretKeyFactoryAlgorithm secretKeyFactoryAlgorithm)
      Constructs a PBKDF2 password encoder with a secret value as well as salt length, iterations and algorithm.
      Parameters:
      secret - the secret
      saltLength - the salt length (in bytes)
      iterations - the number of iterations. Users should aim for taking about .5 seconds on their own system.
      secretKeyFactoryAlgorithm - the algorithm to use
      Since:
      5.8

  • Method Details

    • defaultsForSpringSecurity_v5_5

      @Deprecated public static Pbkdf2PasswordEncoder defaultsForSpringSecurity_v5_5()
      Deprecated.
      Use defaultsForSpringSecurity_v5_8() instead
      Constructs a PBKDF2 password encoder with no additional secret value. There will be a salt length of 8 bytes, 185,000 iterations, SHA-1 algorithm and a hash length of 256 bits. The default is based upon aiming for .5 seconds to validate the password when this class was added. Users should tune password verification to their own systems.
      Returns:
      the Pbkdf2PasswordEncoder
      Since:
      5.8

    • defaultsForSpringSecurity_v5_8

      public static Pbkdf2PasswordEncoder defaultsForSpringSecurity_v5_8()
      Constructs a PBKDF2 password encoder with no additional secret value. There will be a salt length of 16 bytes, 310,000 iterations, SHA-256 algorithm and a hash length of 256 bits. The default is based upon aiming for .5 seconds to validate the password when this class was added. Users should tune password verification to their own systems.
      Returns:
      the Pbkdf2PasswordEncoder
      Since:
      5.8

    • setAlgorithm

      public void setAlgorithm(Pbkdf2PasswordEncoder.SecretKeyFactoryAlgorithm secretKeyFactoryAlgorithm)
      Sets the algorithm to use. See SecretKeyFactory Algorithms
      Parameters:
      secretKeyFactoryAlgorithm - the algorithm to use (i.e. SecretKeyFactoryAlgorithm.PBKDF2WithHmacSHA1, SecretKeyFactoryAlgorithm.PBKDF2WithHmacSHA256, SecretKeyFactoryAlgorithm.PBKDF2WithHmacSHA512)
      Since:
      5.0

    • setEncodeHashAsBase64

      public void setEncodeHashAsBase64(boolean encodeHashAsBase64)
      Sets if the resulting hash should be encoded as Base64. The default is false which means it will be encoded in Hex.
      Parameters:
      encodeHashAsBase64 - true if encode as Base64, false if should use Hex (default)

    • encode

      public String encode(CharSequence rawPassword)
      Description copied from interface: PasswordEncoder
      Encode the raw password. Generally, a good encoding algorithm applies a SHA-1 or greater hash combined with an 8-byte or greater randomly generated salt.
      Specified by:
      encode in interface PasswordEncoder

    • matches

      public boolean matches(CharSequence rawPassword, String encodedPassword)
      Description copied from interface: PasswordEncoder
      Verify the encoded password obtained from storage matches the submitted raw password after it too is encoded. Returns true if the passwords match, false if they do not. The stored password itself is never decoded.
      Specified by:
      matches in interface PasswordEncoder
      Parameters:
      rawPassword - the raw password to encode and match
      encodedPassword - the encoded password from storage to compare with
      Returns:
      true if the raw password, after encoding, matches the encoded password from storage