Example 1 with Pbkdf2PasswordEncoder
use of org.springframework.security.crypto.password.Pbkdf2PasswordEncoder in project cas by apereo.
the class Beans method newPasswordEncoder.
/**
* New password encoder password encoder.
*
* @param properties the properties
* @return the password encoder
*/
public static PasswordEncoder newPasswordEncoder(final PasswordEncoderProperties properties) {
final String type = properties.getType();
if (StringUtils.isBlank(type)) {
LOGGER.debug("No password encoder type is defined, and so none shall be created");
return NoOpPasswordEncoder.getInstance();
}
if (type.contains(".")) {
try {
LOGGER.debug("Configuration indicates use of a custom password encoder [{}]", type);
final Class<PasswordEncoder> clazz = (Class<PasswordEncoder>) Class.forName(type);
return clazz.newInstance();
} catch (final Exception e) {
LOGGER.error("Falling back to a no-op password encoder as CAS has failed to create " + "an instance of the custom password encoder class " + type, e);
return NoOpPasswordEncoder.getInstance();
}
}
final PasswordEncoderProperties.PasswordEncoderTypes encoderType = PasswordEncoderProperties.PasswordEncoderTypes.valueOf(type);
switch(encoderType) {
case DEFAULT:
LOGGER.debug("Creating default password encoder with encoding alg [{}] and character encoding [{}]", properties.getEncodingAlgorithm(), properties.getCharacterEncoding());
return new DefaultPasswordEncoder(properties.getEncodingAlgorithm(), properties.getCharacterEncoding());
case STANDARD:
LOGGER.debug("Creating standard password encoder with the secret defined in the configuration");
return new StandardPasswordEncoder(properties.getSecret());
case BCRYPT:
LOGGER.debug("Creating BCRYPT password encoder given the strength [{}] and secret in the configuration", properties.getStrength());
if (StringUtils.isBlank(properties.getSecret())) {
LOGGER.debug("Creating BCRYPT encoder without secret");
return new BCryptPasswordEncoder(properties.getStrength());
}
LOGGER.debug("Creating BCRYPT encoder with secret");
return new BCryptPasswordEncoder(properties.getStrength(), new SecureRandom(properties.getSecret().getBytes(StandardCharsets.UTF_8)));
case SCRYPT:
LOGGER.debug("Creating SCRYPT encoder");
return new SCryptPasswordEncoder();
case PBKDF2:
if (StringUtils.isBlank(properties.getSecret())) {
LOGGER.debug("Creating PBKDF2 encoder without secret");
return new Pbkdf2PasswordEncoder();
}
final int hashWidth = 256;
return new Pbkdf2PasswordEncoder(properties.getSecret(), properties.getStrength(), hashWidth);
case NONE:
default:
LOGGER.debug("No password encoder shall be created given the requested encoder type [{}]", type);
return NoOpPasswordEncoder.getInstance();
}
}
Also used :
StandardPasswordEncoder(org.springframework.security.crypto.password.StandardPasswordEncoder)
DefaultPasswordEncoder(org.apereo.cas.util.crypto.DefaultPasswordEncoder)
BCryptPasswordEncoder(org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder)
StandardPasswordEncoder(org.springframework.security.crypto.password.StandardPasswordEncoder)
Pbkdf2PasswordEncoder(org.springframework.security.crypto.password.Pbkdf2PasswordEncoder)
NoOpPasswordEncoder(org.springframework.security.crypto.password.NoOpPasswordEncoder)
SCryptPasswordEncoder(org.springframework.security.crypto.scrypt.SCryptPasswordEncoder)
PasswordEncoder(org.springframework.security.crypto.password.PasswordEncoder)
SecureRandom(java.security.SecureRandom)
Pbkdf2PasswordEncoder(org.springframework.security.crypto.password.Pbkdf2PasswordEncoder)
BeanCreationException(org.springframework.beans.factory.BeanCreationException)
SCryptPasswordEncoder(org.springframework.security.crypto.scrypt.SCryptPasswordEncoder)
PasswordEncoderProperties(org.apereo.cas.configuration.model.core.authentication.PasswordEncoderProperties)
DefaultPasswordEncoder(org.apereo.cas.util.crypto.DefaultPasswordEncoder)
BCryptPasswordEncoder(org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder)
Example 2 with Pbkdf2PasswordEncoder
use of org.springframework.security.crypto.password.Pbkdf2PasswordEncoder in project spring-security by spring-projects.
the class PasswordEncoderFactories method createDelegatingPasswordEncoder.
/**
* Creates a {@link DelegatingPasswordEncoder} with default mappings. Additional
* mappings may be added and the encoding will be updated to conform with best
* practices. However, due to the nature of {@link DelegatingPasswordEncoder} the
* updates should not impact users. The mappings current are:
*
* <ul>
* <li>bcrypt - {@link BCryptPasswordEncoder} (Also used for encoding)</li>
* <li>ldap -
* {@link org.springframework.security.crypto.password.LdapShaPasswordEncoder}</li>
* <li>MD4 -
* {@link org.springframework.security.crypto.password.Md4PasswordEncoder}</li>
* <li>MD5 - {@code new MessageDigestPasswordEncoder("MD5")}</li>
* <li>noop -
* {@link org.springframework.security.crypto.password.NoOpPasswordEncoder}</li>
* <li>pbkdf2 - {@link Pbkdf2PasswordEncoder}</li>
* <li>scrypt - {@link SCryptPasswordEncoder}</li>
* <li>SHA-1 - {@code new MessageDigestPasswordEncoder("SHA-1")}</li>
* <li>SHA-256 - {@code new MessageDigestPasswordEncoder("SHA-256")}</li>
* <li>sha256 -
* {@link org.springframework.security.crypto.password.StandardPasswordEncoder}</li>
* <li>argon2 - {@link Argon2PasswordEncoder}</li>
* </ul>
* @return the {@link PasswordEncoder} to use
*/
@SuppressWarnings("deprecation")
public static PasswordEncoder createDelegatingPasswordEncoder() {
String encodingId = "bcrypt";
Map<String, PasswordEncoder> encoders = new HashMap<>();
encoders.put(encodingId, new BCryptPasswordEncoder());
encoders.put("ldap", new org.springframework.security.crypto.password.LdapShaPasswordEncoder());
encoders.put("MD4", new org.springframework.security.crypto.password.Md4PasswordEncoder());
encoders.put("MD5", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("MD5"));
encoders.put("noop", org.springframework.security.crypto.password.NoOpPasswordEncoder.getInstance());
encoders.put("pbkdf2", new Pbkdf2PasswordEncoder());
encoders.put("scrypt", new SCryptPasswordEncoder());
encoders.put("SHA-1", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("SHA-1"));
encoders.put("SHA-256", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("SHA-256"));
encoders.put("sha256", new org.springframework.security.crypto.password.StandardPasswordEncoder());
encoders.put("argon2", new Argon2PasswordEncoder());
return new DelegatingPasswordEncoder(encodingId, encoders);
}
Also used :
BCryptPasswordEncoder(org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder)
PasswordEncoder(org.springframework.security.crypto.password.PasswordEncoder)
Pbkdf2PasswordEncoder(org.springframework.security.crypto.password.Pbkdf2PasswordEncoder)
Argon2PasswordEncoder(org.springframework.security.crypto.argon2.Argon2PasswordEncoder)
DelegatingPasswordEncoder(org.springframework.security.crypto.password.DelegatingPasswordEncoder)
SCryptPasswordEncoder(org.springframework.security.crypto.scrypt.SCryptPasswordEncoder)
HashMap(java.util.HashMap)
DelegatingPasswordEncoder(org.springframework.security.crypto.password.DelegatingPasswordEncoder)
Pbkdf2PasswordEncoder(org.springframework.security.crypto.password.Pbkdf2PasswordEncoder)
Argon2PasswordEncoder(org.springframework.security.crypto.argon2.Argon2PasswordEncoder)
SCryptPasswordEncoder(org.springframework.security.crypto.scrypt.SCryptPasswordEncoder)
BCryptPasswordEncoder(org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder)
Example 3 with Pbkdf2PasswordEncoder
use of org.springframework.security.crypto.password.Pbkdf2PasswordEncoder in project cas by apereo.
the class PasswordEncoderUtils method newPasswordEncoder.
/**
* New password encoder password encoder.
*
* @param properties the properties
* @param applicationContext the application context
* @return the password encoder
*/
@SuppressWarnings("java:S5344")
public static PasswordEncoder newPasswordEncoder(final PasswordEncoderProperties properties, final ApplicationContext applicationContext) {
val type = properties.getType();
if (StringUtils.isBlank(type)) {
LOGGER.trace("No password encoder type is defined, and so none shall be created");
return NoOpPasswordEncoder.getInstance();
}
if (type.endsWith(".groovy")) {
LOGGER.trace("Creating Groovy-based password encoder at [{}]", type);
val resource = applicationContext.getResource(type);
return new GroovyPasswordEncoder(resource, applicationContext);
}
if (type.contains(".")) {
try {
LOGGER.debug("Configuration indicates use of a custom password encoder [{}]", type);
val clazz = (Class<PasswordEncoder>) Class.forName(type);
return clazz.getDeclaredConstructor().newInstance();
} catch (final Exception e) {
val msg = "Falling back to a no-op password encoder as CAS has failed to create " + "an instance of the custom password encoder class " + type;
LoggingUtils.error(LOGGER, msg, e);
return NoOpPasswordEncoder.getInstance();
}
}
val encoderType = PasswordEncoderProperties.PasswordEncoderTypes.valueOf(type);
switch(encoderType) {
case DEFAULT:
LOGGER.debug("Creating default password encoder with encoding alg [{}] and character encoding [{}]", properties.getEncodingAlgorithm(), properties.getCharacterEncoding());
return new DefaultPasswordEncoder(properties.getEncodingAlgorithm(), properties.getCharacterEncoding());
case STANDARD:
LOGGER.debug("Creating standard password encoder with the secret defined in the configuration");
return new StandardPasswordEncoder(properties.getSecret());
case BCRYPT:
LOGGER.debug("Creating BCRYPT password encoder given the strength [{}] and secret in the configuration", properties.getStrength());
if (StringUtils.isBlank(properties.getSecret())) {
LOGGER.debug("Creating BCRYPT encoder without secret");
return new BCryptPasswordEncoder(properties.getStrength());
}
LOGGER.debug("Creating BCRYPT encoder with secret");
return new BCryptPasswordEncoder(properties.getStrength(), RandomUtils.getNativeInstance());
case SCRYPT:
LOGGER.debug("Creating SCRYPT encoder");
return new SCryptPasswordEncoder();
case SSHA:
LOGGER.warn("Creating SSHA encoder; digest based password encoding is not considered secure. " + "This strategy is here to support legacy implementations and using it is considered insecure.");
return new LdapShaPasswordEncoder();
case PBKDF2:
if (StringUtils.isBlank(properties.getSecret())) {
LOGGER.trace("Creating PBKDF2 encoder without secret");
return new Pbkdf2PasswordEncoder();
}
return new Pbkdf2PasswordEncoder(properties.getSecret(), properties.getStrength(), HASH_WIDTH);
case GLIBC_CRYPT:
val hasSecret = StringUtils.isNotBlank(properties.getSecret());
val msg = String.format("Creating glibc CRYPT encoder with encoding alg [%s], strength [%s] and %ssecret", properties.getEncodingAlgorithm(), properties.getStrength(), BooleanUtils.toString(hasSecret, StringUtils.EMPTY, "without "));
LOGGER.debug(msg);
return new GlibcCryptPasswordEncoder(properties.getEncodingAlgorithm(), properties.getStrength(), properties.getSecret());
case NONE:
default:
LOGGER.trace("No password encoder shall be created given the requested encoder type [{}]", type);
return NoOpPasswordEncoder.getInstance();
}
}
Also used :
lombok.val(lombok.val)
StandardPasswordEncoder(org.springframework.security.crypto.password.StandardPasswordEncoder)
GlibcCryptPasswordEncoder(org.apereo.cas.util.crypto.GlibcCryptPasswordEncoder)
SCryptPasswordEncoder(org.springframework.security.crypto.scrypt.SCryptPasswordEncoder)
Pbkdf2PasswordEncoder(org.springframework.security.crypto.password.Pbkdf2PasswordEncoder)
UtilityClass(lombok.experimental.UtilityClass)
DefaultPasswordEncoder(org.apereo.cas.util.crypto.DefaultPasswordEncoder)
LdapShaPasswordEncoder(org.springframework.security.crypto.password.LdapShaPasswordEncoder)
BCryptPasswordEncoder(org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder)
Example 4 with Pbkdf2PasswordEncoder
use of org.springframework.security.crypto.password.Pbkdf2PasswordEncoder in project pac4j by pac4j.
the class SpringEncoderBuilder method tryCreatePasswordEncoder.
public void tryCreatePasswordEncoder(final Map<String, org.pac4j.core.credentials.password.PasswordEncoder> encoders) {
for (int i = 0; i <= MAX_NUM_ENCODERS; i++) {
final String type = getProperty(SPRING_ENCODER_TYPE, i);
if (isNotBlank(type)) {
final PasswordEncoder encoder;
if (SpringEncoderType.NOOP.toString().equalsIgnoreCase(type)) {
encoder = NoOpPasswordEncoder.getInstance();
} else if (SpringEncoderType.BCRYPT.toString().equalsIgnoreCase(type)) {
if (containsProperty(SPRING_ENCODER_BCRYPT_LENGTH, i)) {
encoder = new BCryptPasswordEncoder(getPropertyAsInteger(SPRING_ENCODER_BCRYPT_LENGTH, i));
} else {
encoder = new BCryptPasswordEncoder();
}
} else if (SpringEncoderType.PBKDF2.toString().equalsIgnoreCase(type)) {
if (containsProperty(SPRING_ENCODER_PBKDF2_SECRET, i)) {
final String secret = getProperty(SPRING_ENCODER_PBKDF2_SECRET, i);
if (containsProperty(SPRING_ENCODER_PBKDF2_ITERATIONS, i) && containsProperty(SPRING_ENCODER_PBKDF2_HASH_WIDTH, i)) {
encoder = new Pbkdf2PasswordEncoder(secret, getPropertyAsInteger(SPRING_ENCODER_PBKDF2_ITERATIONS, i), getPropertyAsInteger(SPRING_ENCODER_PBKDF2_HASH_WIDTH, i));
} else {
encoder = new Pbkdf2PasswordEncoder(secret);
}
} else {
encoder = new Pbkdf2PasswordEncoder();
}
} else if (SpringEncoderType.SCRYPT.toString().equalsIgnoreCase(type)) {
if (containsProperty(SPRING_ENCODER_SCRYPT_CPU_COST, i) && containsProperty(SPRING_ENCODER_SCRYPT_MEMORY_COST, i) && containsProperty(SPRING_ENCODER_SCRYPT_PARALLELIZATION, i) && containsProperty(SPRING_ENCODER_SCRYPT_KEY_LENGTH, i) && containsProperty(SPRING_ENCODER_SCRYPT_SALT_LENGTH, i)) {
encoder = new SCryptPasswordEncoder(getPropertyAsInteger(SPRING_ENCODER_SCRYPT_CPU_COST, i), getPropertyAsInteger(SPRING_ENCODER_SCRYPT_MEMORY_COST, i), getPropertyAsInteger(SPRING_ENCODER_SCRYPT_PARALLELIZATION, i), getPropertyAsInteger(SPRING_ENCODER_SCRYPT_KEY_LENGTH, i), getPropertyAsInteger(SPRING_ENCODER_SCRYPT_SALT_LENGTH, i));
} else {
encoder = new SCryptPasswordEncoder();
}
} else if (SpringEncoderType.STANDARD.toString().equalsIgnoreCase(type)) {
if (containsProperty(SPRING_ENCODER_STANDARD_SECRET, i)) {
encoder = new StandardPasswordEncoder(getProperty(SPRING_ENCODER_STANDARD_SECRET, i));
} else {
encoder = new StandardPasswordEncoder();
}
} else {
throw new TechnicalException("Unsupported spring encoder type: " + type);
}
encoders.put(concat(SPRING_ENCODER, i), new SpringSecurityPasswordEncoder(encoder));
}
}
}
Also used :
StandardPasswordEncoder(org.springframework.security.crypto.password.StandardPasswordEncoder)
TechnicalException(org.pac4j.core.exception.TechnicalException)
BCryptPasswordEncoder(org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder)
PasswordEncoder(org.springframework.security.crypto.password.PasswordEncoder)
Pbkdf2PasswordEncoder(org.springframework.security.crypto.password.Pbkdf2PasswordEncoder)
SpringSecurityPasswordEncoder(org.pac4j.core.credentials.password.SpringSecurityPasswordEncoder)
NoOpPasswordEncoder(org.springframework.security.crypto.password.NoOpPasswordEncoder)
StandardPasswordEncoder(org.springframework.security.crypto.password.StandardPasswordEncoder)
SCryptPasswordEncoder(org.springframework.security.crypto.scrypt.SCryptPasswordEncoder)
SCryptPasswordEncoder(org.springframework.security.crypto.scrypt.SCryptPasswordEncoder)
SpringSecurityPasswordEncoder(org.pac4j.core.credentials.password.SpringSecurityPasswordEncoder)
Pbkdf2PasswordEncoder(org.springframework.security.crypto.password.Pbkdf2PasswordEncoder)
BCryptPasswordEncoder(org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder)
Example 5 with Pbkdf2PasswordEncoder
use of org.springframework.security.crypto.password.Pbkdf2PasswordEncoder in project spring-boot by spring-projects.
the class EncodePasswordCommandTests method encodeWithPbkdf2ShouldUsePbkdf2.
@Test
void encodeWithPbkdf2ShouldUsePbkdf2() throws Exception {
EncodePasswordCommand command = new EncodePasswordCommand();
ExitStatus status = command.run("-a", "pbkdf2", "boot");
then(this.log).should().info(this.message.capture());
assertThat(this.message.getValue()).doesNotStartWith("{");
assertThat(new Pbkdf2PasswordEncoder().matches("boot", this.message.getValue())).isTrue();
assertThat(status).isEqualTo(ExitStatus.OK);
}
Also used :
ExitStatus(org.springframework.boot.cli.command.status.ExitStatus)
Pbkdf2PasswordEncoder(org.springframework.security.crypto.password.Pbkdf2PasswordEncoder)
Test(org.junit.jupiter.api.Test)
Aggregations
Pbkdf2PasswordEncoder (org.springframework.security.crypto.password.Pbkdf2PasswordEncoder)5
BCryptPasswordEncoder (org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder)4
SCryptPasswordEncoder (org.springframework.security.crypto.scrypt.SCryptPasswordEncoder)4
PasswordEncoder (org.springframework.security.crypto.password.PasswordEncoder)3
StandardPasswordEncoder (org.springframework.security.crypto.password.StandardPasswordEncoder)3
DefaultPasswordEncoder (org.apereo.cas.util.crypto.DefaultPasswordEncoder)2
NoOpPasswordEncoder (org.springframework.security.crypto.password.NoOpPasswordEncoder)2
SecureRandom (java.security.SecureRandom)1
HashMap (java.util.HashMap)1
UtilityClass (lombok.experimental.UtilityClass)1
lombok.val (lombok.val)1
PasswordEncoderProperties (org.apereo.cas.configuration.model.core.authentication.PasswordEncoderProperties)1
GlibcCryptPasswordEncoder (org.apereo.cas.util.crypto.GlibcCryptPasswordEncoder)1
Test (org.junit.jupiter.api.Test)1
SpringSecurityPasswordEncoder (org.pac4j.core.credentials.password.SpringSecurityPasswordEncoder)1
TechnicalException (org.pac4j.core.exception.TechnicalException)1
BeanCreationException (org.springframework.beans.factory.BeanCreationException)1
ExitStatus (org.springframework.boot.cli.command.status.ExitStatus)1
Argon2PasswordEncoder (org.springframework.security.crypto.argon2.Argon2PasswordEncoder)1
DelegatingPasswordEncoder (org.springframework.security.crypto.password.DelegatingPasswordEncoder)1
