org.springframework.security.crypto.argon2.Argon2PasswordEncoder
- All Implemented Interfaces:
PasswordEncoder
public class Argon2PasswordEncoderextends Objectimplements PasswordEncoder
Implementation of PasswordEncoder that uses the Argon2 hashing function. Clients can optionally supply the length of the salt to use, the length of the generated hash, a cpu cost parameter, a memory cost parameter and a parallelization parameter.
Note:
The currently implementation uses Bouncy castle which does not exploit parallelism/optimizations that password crackers will, so there is an unnecessary asymmetry between attacker and defender.
- Since:
- 5.3
Constructor Summary
Constructors
Constructor
Description
Argon2PasswordEncoder(intsaltLength, inthashLength, intparallelism, intmemory, intiterations) Constructs an Argon2 password encoder with the provided parameters.
Method Summary
Modifier and Type
Method
Description
static Argon2PasswordEncoderdefaultsForSpringSecurity_v5_2()Deprecated.
Use defaultsForSpringSecurity_v5_8() instead
static Argon2PasswordEncoderdefaultsForSpringSecurity_v5_8()Constructs an Argon2 password encoder with a salt length of 16 bytes, a hash length of 32 bytes, parallelism of 1, memory cost of 1 << 14 and 2 iterations.
encode(CharSequencerawPassword) Encode the raw password.
booleanmatches(CharSequencerawPassword, StringencodedPassword) Verify the encoded password obtained from storage matches the submitted raw password after it too is encoded.
booleanupgradeEncoding(StringencodedPassword) Returns true if the encoded password should be encoded again for better security, else false.
Constructor Details
Argon2PasswordEncoder
publicArgon2PasswordEncoder
(intsaltLength, inthashLength, intparallelism, intmemory, intiterations) Constructs an Argon2 password encoder with the provided parameters.
- Parameters:
saltLength- the salt length (in bytes)hashLength- the hash length (in bytes)parallelism- the parallelismmemory- the memory costiterations- the number of iterations
Method Details
defaultsForSpringSecurity_v5_2
@Deprecatedpublic staticArgon2PasswordEncoderdefaultsForSpringSecurity_v5_2()
Deprecated.
Use defaultsForSpringSecurity_v5_8() instead
Constructs an Argon2 password encoder with a salt length of 16 bytes, a hash length of 32 bytes, parallelism of 1, memory cost of 1 << 12 and 3 iterations.
- Returns:
- the
Argon2PasswordEncoder - Since:
- 5.8
defaultsForSpringSecurity_v5_8
public staticArgon2PasswordEncoderdefaultsForSpringSecurity_v5_8()
Constructs an Argon2 password encoder with a salt length of 16 bytes, a hash length of 32 bytes, parallelism of 1, memory cost of 1 << 14 and 2 iterations.
- Returns:
- the
Argon2PasswordEncoder - Since:
- 5.8
encode
publicStringencode
(CharSequencerawPassword) Description copied from interface:
PasswordEncoderEncode the raw password. Generally, a good encoding algorithm applies a SHA-1 or greater hash combined with an 8-byte or greater randomly generated salt.
- Specified by:
encodein interfacePasswordEncoder
matches
publicbooleanmatches
(CharSequencerawPassword, StringencodedPassword) Description copied from interface:
PasswordEncoderVerify the encoded password obtained from storage matches the submitted raw password after it too is encoded. Returns true if the passwords match, false if they do not. The stored password itself is never decoded.
- Specified by:
matchesin interfacePasswordEncoder- Parameters:
rawPassword- the raw password to encode and matchencodedPassword- the encoded password from storage to compare with- Returns:
- true if the raw password, after encoding, matches the encoded password from storage
upgradeEncoding
publicbooleanupgradeEncoding
(StringencodedPassword) Description copied from interface:
PasswordEncoderReturns true if the encoded password should be encoded again for better security, else false. The default implementation always returns false.
- Specified by:
upgradeEncodingin interfacePasswordEncoder- Parameters:
encodedPassword- the encoded password to check- Returns:
- true if the encoded password should be encoded again for better security, else false.
