Hash passwords with Spring Boot + Spring Security (with salt, with stretching)
Spring Security's Password Encoder makes it easy to generate salted + stretched hash values. This article is a sample.
environment
JDK:1.8 Spring Boot:1.5.3.RELEASE Spring Security:4.2.2.RELEASE
Spring Security PasswordEncoder Class Diagram It may be hard to see, but the class diagram of PasswordEncoder of Spring Security 4.2.2.RELEASE is as follows.
There are six implementation classes for the PasswordEncoder interface.
| PasswordEncoder implementation class | Overview |
|---|---|
| AbstractPasswordEncoder | - |
| NoOpPasswordEncoder | Encoder without hashing(for test) |
| Pbkdf2PasswordEncoder | Implementation of PasswordEncoder using PBKDF2 with configurable number of iterations and random 8-byte random salt value |
| StandardPasswordEncoder | SHA-256 algorithms+Encoder that hashes with 1024 stretches |
| BCryptPasswordEncoder | Encoder that performs hashing with the bcrypt algorithm |
| SCryptPasswordEncoder | Encoder that performs hashing with the scrypt algorithm |
In this article, I will use BCryptPasswordEncoder for hashing.
Hashing with BCryptPasswordEncoder
Add a Spring Security dependency.
pom.xml
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
</dependency>
This time, CommandLineRunner is implemented as CLI.
SpringBootEncodeApplication.java
package com.example;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.CommandLineRunner;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.Bean;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
@SpringBootApplication
public class SpringBootEncodeApplication implements CommandLineRunner {
@Autowired
PasswordEncoder passwordEncoder;
public static void main(String[] args) {
SpringApplication.run(SpringBootEncodeApplication.class, args);
}
@Bean
PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
public void run(String... args) {
String password = "#fe?3d31";
String digest = passwordEncoder.encode(password);
System.out.println("Hash value= " + digest);
if (passwordEncoder.matches(password, digest)) {
System.out.println("It matched");
return;
}
System.out.println("It didn't match");
}
}
Hash the plaintext password (password) using the PasswordEncoder's encode method. The hashed result is digest. Then use PasswordEncoder's matches method to match the plaintext password (password) with the hash value (digest) obtained by the encode method.
Execution result.
Hash value= $2a$10$im98CLRwtWohvPE6wZkYk.Os.RXZVF0iROJXL8vUn7TGrfWoixTdq
It matched
How to read the hash value
The hash value generated above is as follows.
$2a$10$im98CLRwtWohvPE6wZkYk.Os.RXZVF0iROJXL8vUn7TGrfWoixTdq
The view is as follows.
| Character location | String | Overview |
|---|---|---|
| 1st to 3rd characters | $2a | The version number of bcrypt. |
| 4th to 6th characters | $10 | Stretching frequency(Number of iterations of hashing operation)Will be. The number of times is 2 to the nth power. Therefore, in this example, 2^10=It will be 1024 times. |
| 7th to 29th characters | $im98CLRwtWohvPE6wZkYk. | Salt value. |
| 30th to last | Os.RXZVF0iROJXL8vUn7TGrfWoixTdq | Password body. |
- Salt values, stretching, etc. are omitted here as they are out of the scope of this article.
As mentioned above, you can use Spring Security's PasswordEncoder to generate salt + stretched hash values, and you can easily match them with plaintext passwords.
- I'm talking about bcrypt.
Recommended Posts