Search in sources :

Example 1 with Pbkdf2PasswordEncoder

use of org.springframework.security.crypto.password.Pbkdf2PasswordEncoder in project cas by apereo.

the class Beans method newPasswordEncoder.

/**
     * New password encoder password encoder.
     *
     * @param properties the properties
     * @return the password encoder
     */
public static PasswordEncoder newPasswordEncoder(final PasswordEncoderProperties properties) {
    final String type = properties.getType();
    if (StringUtils.isBlank(type)) {
        LOGGER.debug("No password encoder type is defined, and so none shall be created");
        return NoOpPasswordEncoder.getInstance();
    }
    if (type.contains(".")) {
        try {
            LOGGER.debug("Configuration indicates use of a custom password encoder [{}]", type);
            final Class<PasswordEncoder> clazz = (Class<PasswordEncoder>) Class.forName(type);
            return clazz.newInstance();
        } catch (final Exception e) {
            LOGGER.error("Falling back to a no-op password encoder as CAS has failed to create " + "an instance of the custom password encoder class " + type, e);
            return NoOpPasswordEncoder.getInstance();
        }
    }
    final PasswordEncoderProperties.PasswordEncoderTypes encoderType = PasswordEncoderProperties.PasswordEncoderTypes.valueOf(type);
    switch(encoderType) {
        case DEFAULT:
            LOGGER.debug("Creating default password encoder with encoding alg [{}] and character encoding [{}]", properties.getEncodingAlgorithm(), properties.getCharacterEncoding());
            return new DefaultPasswordEncoder(properties.getEncodingAlgorithm(), properties.getCharacterEncoding());
        case STANDARD:
            LOGGER.debug("Creating standard password encoder with the secret defined in the configuration");
            return new StandardPasswordEncoder(properties.getSecret());
        case BCRYPT:
            LOGGER.debug("Creating BCRYPT password encoder given the strength [{}] and secret in the configuration", properties.getStrength());
            if (StringUtils.isBlank(properties.getSecret())) {
                LOGGER.debug("Creating BCRYPT encoder without secret");
                return new BCryptPasswordEncoder(properties.getStrength());
            }
            LOGGER.debug("Creating BCRYPT encoder with secret");
            return new BCryptPasswordEncoder(properties.getStrength(), new SecureRandom(properties.getSecret().getBytes(StandardCharsets.UTF_8)));
        case SCRYPT:
            LOGGER.debug("Creating SCRYPT encoder");
            return new SCryptPasswordEncoder();
        case PBKDF2:
            if (StringUtils.isBlank(properties.getSecret())) {
                LOGGER.debug("Creating PBKDF2 encoder without secret");
                return new Pbkdf2PasswordEncoder();
            }
            final int hashWidth = 256;
            return new Pbkdf2PasswordEncoder(properties.getSecret(), properties.getStrength(), hashWidth);
        case NONE:
        default:
            LOGGER.debug("No password encoder shall be created given the requested encoder type [{}]", type);
            return NoOpPasswordEncoder.getInstance();
    }
}
Also used : StandardPasswordEncoder(org.springframework.security.crypto.password.StandardPasswordEncoder) DefaultPasswordEncoder(org.apereo.cas.util.crypto.DefaultPasswordEncoder) BCryptPasswordEncoder(org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder) StandardPasswordEncoder(org.springframework.security.crypto.password.StandardPasswordEncoder) Pbkdf2PasswordEncoder(org.springframework.security.crypto.password.Pbkdf2PasswordEncoder) NoOpPasswordEncoder(org.springframework.security.crypto.password.NoOpPasswordEncoder) SCryptPasswordEncoder(org.springframework.security.crypto.scrypt.SCryptPasswordEncoder) PasswordEncoder(org.springframework.security.crypto.password.PasswordEncoder) SecureRandom(java.security.SecureRandom) Pbkdf2PasswordEncoder(org.springframework.security.crypto.password.Pbkdf2PasswordEncoder) BeanCreationException(org.springframework.beans.factory.BeanCreationException) SCryptPasswordEncoder(org.springframework.security.crypto.scrypt.SCryptPasswordEncoder) PasswordEncoderProperties(org.apereo.cas.configuration.model.core.authentication.PasswordEncoderProperties) DefaultPasswordEncoder(org.apereo.cas.util.crypto.DefaultPasswordEncoder) BCryptPasswordEncoder(org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder)

Example 2 with Pbkdf2PasswordEncoder

use of org.springframework.security.crypto.password.Pbkdf2PasswordEncoder in project spring-security by spring-projects.

the class PasswordEncoderFactories method createDelegatingPasswordEncoder.

/**
 * Creates a {@link DelegatingPasswordEncoder} with default mappings. Additional
 * mappings may be added and the encoding will be updated to conform with best
 * practices. However, due to the nature of {@link DelegatingPasswordEncoder} the
 * updates should not impact users. The mappings current are:
 *
 * <ul>
 * <li>bcrypt - {@link BCryptPasswordEncoder} (Also used for encoding)</li>
 * <li>ldap -
 * {@link org.springframework.security.crypto.password.LdapShaPasswordEncoder}</li>
 * <li>MD4 -
 * {@link org.springframework.security.crypto.password.Md4PasswordEncoder}</li>
 * <li>MD5 - {@code new MessageDigestPasswordEncoder("MD5")}</li>
 * <li>noop -
 * {@link org.springframework.security.crypto.password.NoOpPasswordEncoder}</li>
 * <li>pbkdf2 - {@link Pbkdf2PasswordEncoder}</li>
 * <li>scrypt - {@link SCryptPasswordEncoder}</li>
 * <li>SHA-1 - {@code new MessageDigestPasswordEncoder("SHA-1")}</li>
 * <li>SHA-256 - {@code new MessageDigestPasswordEncoder("SHA-256")}</li>
 * <li>sha256 -
 * {@link org.springframework.security.crypto.password.StandardPasswordEncoder}</li>
 * <li>argon2 - {@link Argon2PasswordEncoder}</li>
 * </ul>
 * @return the {@link PasswordEncoder} to use
 */
@SuppressWarnings("deprecation")
public static PasswordEncoder createDelegatingPasswordEncoder() {
    String encodingId = "bcrypt";
    Map<String, PasswordEncoder> encoders = new HashMap<>();
    encoders.put(encodingId, new BCryptPasswordEncoder());
    encoders.put("ldap", new org.springframework.security.crypto.password.LdapShaPasswordEncoder());
    encoders.put("MD4", new org.springframework.security.crypto.password.Md4PasswordEncoder());
    encoders.put("MD5", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("MD5"));
    encoders.put("noop", org.springframework.security.crypto.password.NoOpPasswordEncoder.getInstance());
    encoders.put("pbkdf2", new Pbkdf2PasswordEncoder());
    encoders.put("scrypt", new SCryptPasswordEncoder());
    encoders.put("SHA-1", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("SHA-1"));
    encoders.put("SHA-256", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("SHA-256"));
    encoders.put("sha256", new org.springframework.security.crypto.password.StandardPasswordEncoder());
    encoders.put("argon2", new Argon2PasswordEncoder());
    return new DelegatingPasswordEncoder(encodingId, encoders);
}
Also used : BCryptPasswordEncoder(org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder) PasswordEncoder(org.springframework.security.crypto.password.PasswordEncoder) Pbkdf2PasswordEncoder(org.springframework.security.crypto.password.Pbkdf2PasswordEncoder) Argon2PasswordEncoder(org.springframework.security.crypto.argon2.Argon2PasswordEncoder) DelegatingPasswordEncoder(org.springframework.security.crypto.password.DelegatingPasswordEncoder) SCryptPasswordEncoder(org.springframework.security.crypto.scrypt.SCryptPasswordEncoder) HashMap(java.util.HashMap) DelegatingPasswordEncoder(org.springframework.security.crypto.password.DelegatingPasswordEncoder) Pbkdf2PasswordEncoder(org.springframework.security.crypto.password.Pbkdf2PasswordEncoder) Argon2PasswordEncoder(org.springframework.security.crypto.argon2.Argon2PasswordEncoder) SCryptPasswordEncoder(org.springframework.security.crypto.scrypt.SCryptPasswordEncoder) BCryptPasswordEncoder(org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder)

Example 3 with Pbkdf2PasswordEncoder

use of org.springframework.security.crypto.password.Pbkdf2PasswordEncoder in project cas by apereo.

the class PasswordEncoderUtils method newPasswordEncoder.

/**
 * New password encoder password encoder.
 *
 * @param properties         the properties
 * @param applicationContext the application context
 * @return the password encoder
 */
@SuppressWarnings("java:S5344")
public static PasswordEncoder newPasswordEncoder(final PasswordEncoderProperties properties, final ApplicationContext applicationContext) {
    val type = properties.getType();
    if (StringUtils.isBlank(type)) {
        LOGGER.trace("No password encoder type is defined, and so none shall be created");
        return NoOpPasswordEncoder.getInstance();
    }
    if (type.endsWith(".groovy")) {
        LOGGER.trace("Creating Groovy-based password encoder at [{}]", type);
        val resource = applicationContext.getResource(type);
        return new GroovyPasswordEncoder(resource, applicationContext);
    }
    if (type.contains(".")) {
        try {
            LOGGER.debug("Configuration indicates use of a custom password encoder [{}]", type);
            val clazz = (Class<PasswordEncoder>) Class.forName(type);
            return clazz.getDeclaredConstructor().newInstance();
        } catch (final Exception e) {
            val msg = "Falling back to a no-op password encoder as CAS has failed to create " + "an instance of the custom password encoder class " + type;
            LoggingUtils.error(LOGGER, msg, e);
            return NoOpPasswordEncoder.getInstance();
        }
    }
    val encoderType = PasswordEncoderProperties.PasswordEncoderTypes.valueOf(type);
    switch(encoderType) {
        case DEFAULT:
            LOGGER.debug("Creating default password encoder with encoding alg [{}] and character encoding [{}]", properties.getEncodingAlgorithm(), properties.getCharacterEncoding());
            return new DefaultPasswordEncoder(properties.getEncodingAlgorithm(), properties.getCharacterEncoding());
        case STANDARD:
            LOGGER.debug("Creating standard password encoder with the secret defined in the configuration");
            return new StandardPasswordEncoder(properties.getSecret());
        case BCRYPT:
            LOGGER.debug("Creating BCRYPT password encoder given the strength [{}] and secret in the configuration", properties.getStrength());
            if (StringUtils.isBlank(properties.getSecret())) {
                LOGGER.debug("Creating BCRYPT encoder without secret");
                return new BCryptPasswordEncoder(properties.getStrength());
            }
            LOGGER.debug("Creating BCRYPT encoder with secret");
            return new BCryptPasswordEncoder(properties.getStrength(), RandomUtils.getNativeInstance());
        case SCRYPT:
            LOGGER.debug("Creating SCRYPT encoder");
            return new SCryptPasswordEncoder();
        case SSHA:
            LOGGER.warn("Creating SSHA encoder; digest based password encoding is not considered secure. " + "This strategy is here to support legacy implementations and using it is considered insecure.");
            return new LdapShaPasswordEncoder();
        case PBKDF2:
            if (StringUtils.isBlank(properties.getSecret())) {
                LOGGER.trace("Creating PBKDF2 encoder without secret");
                return new Pbkdf2PasswordEncoder();
            }
            return new Pbkdf2PasswordEncoder(properties.getSecret(), properties.getStrength(), HASH_WIDTH);
        case GLIBC_CRYPT:
            val hasSecret = StringUtils.isNotBlank(properties.getSecret());
            val msg = String.format("Creating glibc CRYPT encoder with encoding alg [%s], strength [%s] and %ssecret", properties.getEncodingAlgorithm(), properties.getStrength(), BooleanUtils.toString(hasSecret, StringUtils.EMPTY, "without "));
            LOGGER.debug(msg);
            return new GlibcCryptPasswordEncoder(properties.getEncodingAlgorithm(), properties.getStrength(), properties.getSecret());
        case NONE:
        default:
            LOGGER.trace("No password encoder shall be created given the requested encoder type [{}]", type);
            return NoOpPasswordEncoder.getInstance();
    }
}
Also used : lombok.val(lombok.val) StandardPasswordEncoder(org.springframework.security.crypto.password.StandardPasswordEncoder) GlibcCryptPasswordEncoder(org.apereo.cas.util.crypto.GlibcCryptPasswordEncoder) SCryptPasswordEncoder(org.springframework.security.crypto.scrypt.SCryptPasswordEncoder) Pbkdf2PasswordEncoder(org.springframework.security.crypto.password.Pbkdf2PasswordEncoder) UtilityClass(lombok.experimental.UtilityClass) DefaultPasswordEncoder(org.apereo.cas.util.crypto.DefaultPasswordEncoder) LdapShaPasswordEncoder(org.springframework.security.crypto.password.LdapShaPasswordEncoder) BCryptPasswordEncoder(org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder)

Example 4 with Pbkdf2PasswordEncoder

use of org.springframework.security.crypto.password.Pbkdf2PasswordEncoder in project pac4j by pac4j.

the class SpringEncoderBuilder method tryCreatePasswordEncoder.

public void tryCreatePasswordEncoder(final Map<String, org.pac4j.core.credentials.password.PasswordEncoder> encoders) {
    for (int i = 0; i <= MAX_NUM_ENCODERS; i++) {
        final String type = getProperty(SPRING_ENCODER_TYPE, i);
        if (isNotBlank(type)) {
            final PasswordEncoder encoder;
            if (SpringEncoderType.NOOP.toString().equalsIgnoreCase(type)) {
                encoder = NoOpPasswordEncoder.getInstance();
            } else if (SpringEncoderType.BCRYPT.toString().equalsIgnoreCase(type)) {
                if (containsProperty(SPRING_ENCODER_BCRYPT_LENGTH, i)) {
                    encoder = new BCryptPasswordEncoder(getPropertyAsInteger(SPRING_ENCODER_BCRYPT_LENGTH, i));
                } else {
                    encoder = new BCryptPasswordEncoder();
                }
            } else if (SpringEncoderType.PBKDF2.toString().equalsIgnoreCase(type)) {
                if (containsProperty(SPRING_ENCODER_PBKDF2_SECRET, i)) {
                    final String secret = getProperty(SPRING_ENCODER_PBKDF2_SECRET, i);
                    if (containsProperty(SPRING_ENCODER_PBKDF2_ITERATIONS, i) && containsProperty(SPRING_ENCODER_PBKDF2_HASH_WIDTH, i)) {
                        encoder = new Pbkdf2PasswordEncoder(secret, getPropertyAsInteger(SPRING_ENCODER_PBKDF2_ITERATIONS, i), getPropertyAsInteger(SPRING_ENCODER_PBKDF2_HASH_WIDTH, i));
                    } else {
                        encoder = new Pbkdf2PasswordEncoder(secret);
                    }
                } else {
                    encoder = new Pbkdf2PasswordEncoder();
                }
            } else if (SpringEncoderType.SCRYPT.toString().equalsIgnoreCase(type)) {
                if (containsProperty(SPRING_ENCODER_SCRYPT_CPU_COST, i) && containsProperty(SPRING_ENCODER_SCRYPT_MEMORY_COST, i) && containsProperty(SPRING_ENCODER_SCRYPT_PARALLELIZATION, i) && containsProperty(SPRING_ENCODER_SCRYPT_KEY_LENGTH, i) && containsProperty(SPRING_ENCODER_SCRYPT_SALT_LENGTH, i)) {
                    encoder = new SCryptPasswordEncoder(getPropertyAsInteger(SPRING_ENCODER_SCRYPT_CPU_COST, i), getPropertyAsInteger(SPRING_ENCODER_SCRYPT_MEMORY_COST, i), getPropertyAsInteger(SPRING_ENCODER_SCRYPT_PARALLELIZATION, i), getPropertyAsInteger(SPRING_ENCODER_SCRYPT_KEY_LENGTH, i), getPropertyAsInteger(SPRING_ENCODER_SCRYPT_SALT_LENGTH, i));
                } else {
                    encoder = new SCryptPasswordEncoder();
                }
            } else if (SpringEncoderType.STANDARD.toString().equalsIgnoreCase(type)) {
                if (containsProperty(SPRING_ENCODER_STANDARD_SECRET, i)) {
                    encoder = new StandardPasswordEncoder(getProperty(SPRING_ENCODER_STANDARD_SECRET, i));
                } else {
                    encoder = new StandardPasswordEncoder();
                }
            } else {
                throw new TechnicalException("Unsupported spring encoder type: " + type);
            }
            encoders.put(concat(SPRING_ENCODER, i), new SpringSecurityPasswordEncoder(encoder));
        }
    }
}
Also used : StandardPasswordEncoder(org.springframework.security.crypto.password.StandardPasswordEncoder) TechnicalException(org.pac4j.core.exception.TechnicalException) BCryptPasswordEncoder(org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder) PasswordEncoder(org.springframework.security.crypto.password.PasswordEncoder) Pbkdf2PasswordEncoder(org.springframework.security.crypto.password.Pbkdf2PasswordEncoder) SpringSecurityPasswordEncoder(org.pac4j.core.credentials.password.SpringSecurityPasswordEncoder) NoOpPasswordEncoder(org.springframework.security.crypto.password.NoOpPasswordEncoder) StandardPasswordEncoder(org.springframework.security.crypto.password.StandardPasswordEncoder) SCryptPasswordEncoder(org.springframework.security.crypto.scrypt.SCryptPasswordEncoder) SCryptPasswordEncoder(org.springframework.security.crypto.scrypt.SCryptPasswordEncoder) SpringSecurityPasswordEncoder(org.pac4j.core.credentials.password.SpringSecurityPasswordEncoder) Pbkdf2PasswordEncoder(org.springframework.security.crypto.password.Pbkdf2PasswordEncoder) BCryptPasswordEncoder(org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder)

Example 5 with Pbkdf2PasswordEncoder

use of org.springframework.security.crypto.password.Pbkdf2PasswordEncoder in project spring-boot by spring-projects.

the class EncodePasswordCommandTests method encodeWithPbkdf2ShouldUsePbkdf2.

@Test
void encodeWithPbkdf2ShouldUsePbkdf2() throws Exception {
    EncodePasswordCommand command = new EncodePasswordCommand();
    ExitStatus status = command.run("-a", "pbkdf2", "boot");
    then(this.log).should().info(this.message.capture());
    assertThat(this.message.getValue()).doesNotStartWith("{");
    assertThat(new Pbkdf2PasswordEncoder().matches("boot", this.message.getValue())).isTrue();
    assertThat(status).isEqualTo(ExitStatus.OK);
}
Also used : ExitStatus(org.springframework.boot.cli.command.status.ExitStatus) Pbkdf2PasswordEncoder(org.springframework.security.crypto.password.Pbkdf2PasswordEncoder) Test(org.junit.jupiter.api.Test)

Aggregations

Pbkdf2PasswordEncoder (org.springframework.security.crypto.password.Pbkdf2PasswordEncoder)5 BCryptPasswordEncoder (org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder)4 SCryptPasswordEncoder (org.springframework.security.crypto.scrypt.SCryptPasswordEncoder)4 PasswordEncoder (org.springframework.security.crypto.password.PasswordEncoder)3 StandardPasswordEncoder (org.springframework.security.crypto.password.StandardPasswordEncoder)3 DefaultPasswordEncoder (org.apereo.cas.util.crypto.DefaultPasswordEncoder)2 NoOpPasswordEncoder (org.springframework.security.crypto.password.NoOpPasswordEncoder)2 SecureRandom (java.security.SecureRandom)1 HashMap (java.util.HashMap)1 UtilityClass (lombok.experimental.UtilityClass)1 lombok.val (lombok.val)1 PasswordEncoderProperties (org.apereo.cas.configuration.model.core.authentication.PasswordEncoderProperties)1 GlibcCryptPasswordEncoder (org.apereo.cas.util.crypto.GlibcCryptPasswordEncoder)1 Test (org.junit.jupiter.api.Test)1 SpringSecurityPasswordEncoder (org.pac4j.core.credentials.password.SpringSecurityPasswordEncoder)1 TechnicalException (org.pac4j.core.exception.TechnicalException)1 BeanCreationException (org.springframework.beans.factory.BeanCreationException)1 ExitStatus (org.springframework.boot.cli.command.status.ExitStatus)1 Argon2PasswordEncoder (org.springframework.security.crypto.argon2.Argon2PasswordEncoder)1 DelegatingPasswordEncoder (org.springframework.security.crypto.password.DelegatingPasswordEncoder)1