spring security - How to use SHA-512 with o.s.s.crypto.password.StandardPasswordEncoder? -
i need use sha-512
in code hash passwords.
now use o.s.s.authentication.encoding.passwordencoder
while initialized shapasswordencoder(512)
.
in addition, o.s.s.authentication.encoding.passwordencoder
supports method string encodepassword(string rawpass, object salt)
allow store salt separately password.
unfortunately, o.s.s.authentication.encoding.passwordencoder
deprecated.
also, o.s.s.crypto.password.standardpasswordencoder
supports sha-256
.
in addition final class , not allow overloading support sha-512
.
how use sha-512
o.s.s.crypto.password.standardpasswordencoder
? why there no public method allows pass salt stored externally?
well must admit not coherent part in spring security ... daoauthenticationprovider.getpasswordencoder()
returns o.s.s.authentication.encoding.passwordencoder
deprecated according javadoc !
the trick daoauthenticationprovider.getpasswordencoder()
takes object parameter, , object may o.s.s.authentication.encoding.passwordencoder
... not try !
as per understanding, o.s.s.crypto.password.standardpasswordencoder
example medium security , fixed sha-256. if want higher level of security, can use o.s.s.crypto.password.bcryptpasswordencoder
uses robust bcrypt algorythm configurable level. after viewing sources, can confirm both use salt , store internally in encoded password.
perhaps spring security team explain reasons (discutable) choices regarding impossibility change digest algorythm cannot ; maybe because using sha enough stick (not deprecated) shapasswordencoder
. noted remark in standardpasswordencoder
: if developing new system, bcryptpasswordencoder
better choice both in terms of security , interoperability other languages.
so, either follow advice of author of standardpasswordencoder
, , use directly bcryptpasswordencoder
, or have roll own.
it enough copy source of standardpasswordencoder
, stick org.springframework.security.crypto.password
package, because there package private imports, , modify 2 argument constructor public :
public configurablepasswordencoder(string algorithm, charsequence secret) { ... }
all more collections of workarounds clean solution, never found better way !
as conclusion, interface o.s.s.authentication.encoding.passwordencoder
deprecated, because stores salt outside of encoded password. should not used further developpement of password encoders. implementation classes not deprecated (neither in last 3.2 release version, nor in 4.0.0m2) , can safely keep on using shapasswordencoder
if meets requirements.
Comments
Post a Comment