use of org.springframework.security.crypto.password.Pbkdf2PasswordEncoder in project cas by apereo.
the class Beans method newPasswordEncoder.
/**
* New password encoder password encoder.
*
* @param properties the properties
* @return the password encoder
*/
public static PasswordEncoder newPasswordEncoder(final PasswordEncoderProperties properties) {
final String type = properties.getType();
if (StringUtils.isBlank(type)) {
LOGGER.debug("No password encoder type is defined, and so none shall be created");
return NoOpPasswordEncoder.getInstance();
}
if (type.contains(".")) {
try {
LOGGER.debug("Configuration indicates use of a custom password encoder [{}]", type);
final Class<PasswordEncoder> clazz = (Class<PasswordEncoder>) Class.forName(type);
return clazz.newInstance();
} catch (final Exception e) {
LOGGER.error("Falling back to a no-op password encoder as CAS has failed to create " + "an instance of the custom password encoder class " + type, e);
return NoOpPasswordEncoder.getInstance();
}
}
final PasswordEncoderProperties.PasswordEncoderTypes encoderType = PasswordEncoderProperties.PasswordEncoderTypes.valueOf(type);
switch(encoderType) {
case DEFAULT:
LOGGER.debug("Creating default password encoder with encoding alg [{}] and character encoding [{}]", properties.getEncodingAlgorithm(), properties.getCharacterEncoding());
return new DefaultPasswordEncoder(properties.getEncodingAlgorithm(), properties.getCharacterEncoding());
case STANDARD:
LOGGER.debug("Creating standard password encoder with the secret defined in the configuration");
return new StandardPasswordEncoder(properties.getSecret());
case BCRYPT:
LOGGER.debug("Creating BCRYPT password encoder given the strength [{}] and secret in the configuration", properties.getStrength());
if (StringUtils.isBlank(properties.getSecret())) {
LOGGER.debug("Creating BCRYPT encoder without secret");
return new BCryptPasswordEncoder(properties.getStrength());
}
LOGGER.debug("Creating BCRYPT encoder with secret");
return new BCryptPasswordEncoder(properties.getStrength(), new SecureRandom(properties.getSecret().getBytes(StandardCharsets.UTF_8)));
case SCRYPT:
LOGGER.debug("Creating SCRYPT encoder");
return new SCryptPasswordEncoder();
case PBKDF2:
if (StringUtils.isBlank(properties.getSecret())) {
LOGGER.debug("Creating PBKDF2 encoder without secret");
return new Pbkdf2PasswordEncoder();
}
final int hashWidth = 256;
return new Pbkdf2PasswordEncoder(properties.getSecret(), properties.getStrength(), hashWidth);
case NONE:
default:
LOGGER.debug("No password encoder shall be created given the requested encoder type [{}]", type);
return NoOpPasswordEncoder.getInstance();
}
}
use of org.springframework.security.crypto.password.Pbkdf2PasswordEncoder in project spring-security by spring-projects.
the class PasswordEncoderFactories method createDelegatingPasswordEncoder.
/**
* Creates a {@link DelegatingPasswordEncoder} with default mappings. Additional
* mappings may be added and the encoding will be updated to conform with best
* practices. However, due to the nature of {@link DelegatingPasswordEncoder} the
* updates should not impact users. The mappings current are:
*
* <ul>
* <li>bcrypt - {@link BCryptPasswordEncoder} (Also used for encoding)</li>
* <li>ldap -
* {@link org.springframework.security.crypto.password.LdapShaPasswordEncoder}</li>
* <li>MD4 -
* {@link org.springframework.security.crypto.password.Md4PasswordEncoder}</li>
* <li>MD5 - {@code new MessageDigestPasswordEncoder("MD5")}</li>
* <li>noop -
* {@link org.springframework.security.crypto.password.NoOpPasswordEncoder}</li>
* <li>pbkdf2 - {@link Pbkdf2PasswordEncoder}</li>
* <li>scrypt - {@link SCryptPasswordEncoder}</li>
* <li>SHA-1 - {@code new MessageDigestPasswordEncoder("SHA-1")}</li>
* <li>SHA-256 - {@code new MessageDigestPasswordEncoder("SHA-256")}</li>
* <li>sha256 -
* {@link org.springframework.security.crypto.password.StandardPasswordEncoder}</li>
* <li>argon2 - {@link Argon2PasswordEncoder}</li>
* </ul>
* @return the {@link PasswordEncoder} to use
*/
@SuppressWarnings("deprecation")
public static PasswordEncoder createDelegatingPasswordEncoder() {
String encodingId = "bcrypt";
Map<String, PasswordEncoder> encoders = new HashMap<>();
encoders.put(encodingId, new BCryptPasswordEncoder());
encoders.put("ldap", new org.springframework.security.crypto.password.LdapShaPasswordEncoder());
encoders.put("MD4", new org.springframework.security.crypto.password.Md4PasswordEncoder());
encoders.put("MD5", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("MD5"));
encoders.put("noop", org.springframework.security.crypto.password.NoOpPasswordEncoder.getInstance());
encoders.put("pbkdf2", new Pbkdf2PasswordEncoder());
encoders.put("scrypt", new SCryptPasswordEncoder());
encoders.put("SHA-1", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("SHA-1"));
encoders.put("SHA-256", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("SHA-256"));
encoders.put("sha256", new org.springframework.security.crypto.password.StandardPasswordEncoder());
encoders.put("argon2", new Argon2PasswordEncoder());
return new DelegatingPasswordEncoder(encodingId, encoders);
}
use of org.springframework.security.crypto.password.Pbkdf2PasswordEncoder in project cas by apereo.
the class PasswordEncoderUtils method newPasswordEncoder.
/**
* New password encoder password encoder.
*
* @param properties the properties
* @param applicationContext the application context
* @return the password encoder
*/
@SuppressWarnings("java:S5344")
public static PasswordEncoder newPasswordEncoder(final PasswordEncoderProperties properties, final ApplicationContext applicationContext) {
val type = properties.getType();
if (StringUtils.isBlank(type)) {
LOGGER.trace("No password encoder type is defined, and so none shall be created");
return NoOpPasswordEncoder.getInstance();
}
if (type.endsWith(".groovy")) {
LOGGER.trace("Creating Groovy-based password encoder at [{}]", type);
val resource = applicationContext.getResource(type);
return new GroovyPasswordEncoder(resource, applicationContext);
}
if (type.contains(".")) {
try {
LOGGER.debug("Configuration indicates use of a custom password encoder [{}]", type);
val clazz = (Class<PasswordEncoder>) Class.forName(type);
return clazz.getDeclaredConstructor().newInstance();
} catch (final Exception e) {
val msg = "Falling back to a no-op password encoder as CAS has failed to create " + "an instance of the custom password encoder class " + type;
LoggingUtils.error(LOGGER, msg, e);
return NoOpPasswordEncoder.getInstance();
}
}
val encoderType = PasswordEncoderProperties.PasswordEncoderTypes.valueOf(type);
switch(encoderType) {
case DEFAULT:
LOGGER.debug("Creating default password encoder with encoding alg [{}] and character encoding [{}]", properties.getEncodingAlgorithm(), properties.getCharacterEncoding());
return new DefaultPasswordEncoder(properties.getEncodingAlgorithm(), properties.getCharacterEncoding());
case STANDARD:
LOGGER.debug("Creating standard password encoder with the secret defined in the configuration");
return new StandardPasswordEncoder(properties.getSecret());
case BCRYPT:
LOGGER.debug("Creating BCRYPT password encoder given the strength [{}] and secret in the configuration", properties.getStrength());
if (StringUtils.isBlank(properties.getSecret())) {
LOGGER.debug("Creating BCRYPT encoder without secret");
return new BCryptPasswordEncoder(properties.getStrength());
}
LOGGER.debug("Creating BCRYPT encoder with secret");
return new BCryptPasswordEncoder(properties.getStrength(), RandomUtils.getNativeInstance());
case SCRYPT:
LOGGER.debug("Creating SCRYPT encoder");
return new SCryptPasswordEncoder();
case SSHA:
LOGGER.warn("Creating SSHA encoder; digest based password encoding is not considered secure. " + "This strategy is here to support legacy implementations and using it is considered insecure.");
return new LdapShaPasswordEncoder();
case PBKDF2:
if (StringUtils.isBlank(properties.getSecret())) {
LOGGER.trace("Creating PBKDF2 encoder without secret");
return new Pbkdf2PasswordEncoder();
}
return new Pbkdf2PasswordEncoder(properties.getSecret(), properties.getStrength(), HASH_WIDTH);
case GLIBC_CRYPT:
val hasSecret = StringUtils.isNotBlank(properties.getSecret());
val msg = String.format("Creating glibc CRYPT encoder with encoding alg [%s], strength [%s] and %ssecret", properties.getEncodingAlgorithm(), properties.getStrength(), BooleanUtils.toString(hasSecret, StringUtils.EMPTY, "without "));
LOGGER.debug(msg);
return new GlibcCryptPasswordEncoder(properties.getEncodingAlgorithm(), properties.getStrength(), properties.getSecret());
case NONE:
default:
LOGGER.trace("No password encoder shall be created given the requested encoder type [{}]", type);
return NoOpPasswordEncoder.getInstance();
}
}
use of org.springframework.security.crypto.password.Pbkdf2PasswordEncoder in project pac4j by pac4j.
the class SpringEncoderBuilder method tryCreatePasswordEncoder.
public void tryCreatePasswordEncoder(final Map<String, org.pac4j.core.credentials.password.PasswordEncoder> encoders) {
for (int i = 0; i <= MAX_NUM_ENCODERS; i++) {
final String type = getProperty(SPRING_ENCODER_TYPE, i);
if (isNotBlank(type)) {
final PasswordEncoder encoder;
if (SpringEncoderType.NOOP.toString().equalsIgnoreCase(type)) {
encoder = NoOpPasswordEncoder.getInstance();
} else if (SpringEncoderType.BCRYPT.toString().equalsIgnoreCase(type)) {
if (containsProperty(SPRING_ENCODER_BCRYPT_LENGTH, i)) {
encoder = new BCryptPasswordEncoder(getPropertyAsInteger(SPRING_ENCODER_BCRYPT_LENGTH, i));
} else {
encoder = new BCryptPasswordEncoder();
}
} else if (SpringEncoderType.PBKDF2.toString().equalsIgnoreCase(type)) {
if (containsProperty(SPRING_ENCODER_PBKDF2_SECRET, i)) {
final String secret = getProperty(SPRING_ENCODER_PBKDF2_SECRET, i);
if (containsProperty(SPRING_ENCODER_PBKDF2_ITERATIONS, i) && containsProperty(SPRING_ENCODER_PBKDF2_HASH_WIDTH, i)) {
encoder = new Pbkdf2PasswordEncoder(secret, getPropertyAsInteger(SPRING_ENCODER_PBKDF2_ITERATIONS, i), getPropertyAsInteger(SPRING_ENCODER_PBKDF2_HASH_WIDTH, i));
} else {
encoder = new Pbkdf2PasswordEncoder(secret);
}
} else {
encoder = new Pbkdf2PasswordEncoder();
}
} else if (SpringEncoderType.SCRYPT.toString().equalsIgnoreCase(type)) {
if (containsProperty(SPRING_ENCODER_SCRYPT_CPU_COST, i) && containsProperty(SPRING_ENCODER_SCRYPT_MEMORY_COST, i) && containsProperty(SPRING_ENCODER_SCRYPT_PARALLELIZATION, i) && containsProperty(SPRING_ENCODER_SCRYPT_KEY_LENGTH, i) && containsProperty(SPRING_ENCODER_SCRYPT_SALT_LENGTH, i)) {
encoder = new SCryptPasswordEncoder(getPropertyAsInteger(SPRING_ENCODER_SCRYPT_CPU_COST, i), getPropertyAsInteger(SPRING_ENCODER_SCRYPT_MEMORY_COST, i), getPropertyAsInteger(SPRING_ENCODER_SCRYPT_PARALLELIZATION, i), getPropertyAsInteger(SPRING_ENCODER_SCRYPT_KEY_LENGTH, i), getPropertyAsInteger(SPRING_ENCODER_SCRYPT_SALT_LENGTH, i));
} else {
encoder = new SCryptPasswordEncoder();
}
} else if (SpringEncoderType.STANDARD.toString().equalsIgnoreCase(type)) {
if (containsProperty(SPRING_ENCODER_STANDARD_SECRET, i)) {
encoder = new StandardPasswordEncoder(getProperty(SPRING_ENCODER_STANDARD_SECRET, i));
} else {
encoder = new StandardPasswordEncoder();
}
} else {
throw new TechnicalException("Unsupported spring encoder type: " + type);
}
encoders.put(concat(SPRING_ENCODER, i), new SpringSecurityPasswordEncoder(encoder));
}
}
}
use of org.springframework.security.crypto.password.Pbkdf2PasswordEncoder in project spring-boot by spring-projects.
the class EncodePasswordCommandTests method encodeWithPbkdf2ShouldUsePbkdf2.
@Test
void encodeWithPbkdf2ShouldUsePbkdf2() throws Exception {
EncodePasswordCommand command = new EncodePasswordCommand();
ExitStatus status = command.run("-a", "pbkdf2", "boot");
then(this.log).should().info(this.message.capture());
assertThat(this.message.getValue()).doesNotStartWith("{");
assertThat(new Pbkdf2PasswordEncoder().matches("boot", this.message.getValue())).isTrue();
assertThat(status).isEqualTo(ExitStatus.OK);
}
Aggregations