%!s(int64=3) %!d(string=hai) anos · 0c549ee147
--- a/docs/modules/ROOT/pages/servlet/authentication/rememberme.adoc
+++ b/docs/modules/ROOT/pages/servlet/authentication/rememberme.adoc
@@ -114,9 +114,9 @@ A `key` is shared between this authentication provider and the `TokenBasedRememb
 
				 In addition, `TokenBasedRememberMeServices` requires a `UserDetailsService`, from which it can retrieve the username and password for signature comparison purposes and generate the `RememberMeAuthenticationToken` to contain the correct `GrantedAuthority` instances.
			
 
				 `TokenBasedRememberMeServices` also implements Spring Security's `LogoutHandler` interface so that it can be used with `LogoutFilter` to have the cookie cleared automatically.
			
 
				 
			
 
				-By default, this implementation uses the MD5 algorithm to encode the token signature.
			
 
				+By default, this implementation uses the SHA-256 algorithm to encode the token signature.
			
 
				 To verify the token signature, the algorithm retrieved from `algorithmName` is parsed and used.
			
 
				-If no `algorithmName` is present, the default matching algorithm will be used, which is MD5.
			
 
				+If no `algorithmName` is present, the default matching algorithm will be used, which is SHA-256.
			
 
				 You can specify different algorithms for signature encoding and for signature matching, this allows users to safely upgrade to a different encoding algorithm while still able to verify old ones if there is no `algorithmName` present.
			
 
				 To do that you can specify your customized `TokenBasedRememberMeServices` as a Bean and use it in the configuration.
			
 
				 
			
--- a/web/src/main/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServices.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServices.java
@@ -94,9 +94,9 @@ import org.springframework.util.StringUtils;
 
				  */
			
 
				 public class TokenBasedRememberMeServices extends AbstractRememberMeServices {
			
 
				 
			
 
				-	private static final RememberMeTokenAlgorithm DEFAULT_MATCHING_ALGORITHM = RememberMeTokenAlgorithm.MD5;
			
 
				+	private static final RememberMeTokenAlgorithm DEFAULT_MATCHING_ALGORITHM = RememberMeTokenAlgorithm.SHA256;
			
 
				 
			
 
				-	private static final RememberMeTokenAlgorithm DEFAULT_ENCODING_ALGORITHM = RememberMeTokenAlgorithm.MD5;
			
 
				+	private static final RememberMeTokenAlgorithm DEFAULT_ENCODING_ALGORITHM = RememberMeTokenAlgorithm.SHA256;
			
 
				 
			
 
				 	private final RememberMeTokenAlgorithm encodingAlgorithm;
			
 
				 
			
--- a/web/src/test/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServicesTests.java
+++ b/web/src/test/java/org/springframework/security/web/authentication/rememberme/TokenBasedRememberMeServicesTests.java
@@ -407,7 +407,7 @@ public class TokenBasedRememberMeServicesTests {
 
				 		assertThat(cookie.getMaxAge()).isEqualTo(this.services.getTokenValiditySeconds());
			
 
				 		assertThat(CodecTestUtils.isBase64(cookie.getValue().getBytes())).isTrue();
			
 
				 		assertThat(new Date().before(new Date(determineExpiryTimeFromBased64EncodedToken(cookie.getValue())))).isTrue();
			
 
				-		assertThat("MD5").isEqualTo(determineAlgorithmNameFromBase64EncodedToken(cookie.getValue()));
			
 
				+		assertThat("SHA256").isEqualTo(determineAlgorithmNameFromBase64EncodedToken(cookie.getValue()));
			
 
				 	}
			
 
				 
			
 
				 	@Test
			
@@ -459,11 +459,11 @@ public class TokenBasedRememberMeServicesTests {
 
				 	}
			
 
				 
			
 
				 	@Test
			
 
				-	public void constructorWhenNoEncodingAlgorithmSpecifiedThenMd5() {
			
 
				+	public void constructorWhenNoEncodingAlgorithmSpecifiedThenSha256() {
			
 
				 		TokenBasedRememberMeServices rememberMeServices = new TokenBasedRememberMeServices("key", this.uds);
			
 
				 		RememberMeTokenAlgorithm encodingAlgorithm = (RememberMeTokenAlgorithm) ReflectionTestUtils
			
 
				 				.getField(rememberMeServices, "encodingAlgorithm");
			
 
				-		assertThat(encodingAlgorithm).isSameAs(RememberMeTokenAlgorithm.MD5);
			
 
				+		assertThat(encodingAlgorithm).isSameAs(RememberMeTokenAlgorithm.SHA256);
			
 
				 	}
			
 
				 
			
 
				 }