|
|
@@ -6,34 +6,39 @@ import java.security.NoSuchAlgorithmException;
|
|
|
|
|
|
import org.springframework.security.core.codec.Base64;
|
|
|
import org.springframework.security.core.codec.Hex;
|
|
|
+import org.springframework.util.Assert;
|
|
|
|
|
|
/**
|
|
|
* Base for digest password encoders.
|
|
|
- * <p>This class can be used stand-alone, or one of the subclasses can be used for compatiblity and convenience.
|
|
|
+ * <p>
|
|
|
+ * This class can be used stand-alone, or one of the subclasses can be used for compatiblity and convenience.
|
|
|
* When using this class directly you must specify a
|
|
|
- * <a href="http://java.sun.com/j2se/1.4.2/docs/guide/security/CryptoSpec.html#AppA">
|
|
|
- * Message Digest Algorithm</a> to use as a constructor arg</p>
|
|
|
- *
|
|
|
- * <p>The encoded password hash is normally returned as Hex (32 char) version of the hash bytes.
|
|
|
+ * <a href="http://java.sun.com/j2se/1.5.0/docs/guide/security/CryptoSpec.html#AppA">
|
|
|
+ * Message Digest Algorithm</a> to use as a constructor arg.
|
|
|
+ * <p>
|
|
|
+ * The encoded password hash is normally returned as Hex (32 char) version of the hash bytes.
|
|
|
* Setting the <tt>encodeHashAsBase64</tt> property to <tt>true</tt> will cause the encoded pass to be returned
|
|
|
* as Base64 text, which will consume 24 characters.
|
|
|
* See {@link BaseDigestPasswordEncoder#setEncodeHashAsBase64(boolean)}
|
|
|
- * </p>
|
|
|
* <p>
|
|
|
- * This PasswordEncoder can be used directly as in the following example:<br/>
|
|
|
+ * This {@code PasswordEncoder} can be used directly as in the following example:
|
|
|
* <pre>
|
|
|
* <bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.MessageDigestPasswordEncoder">
|
|
|
* <constructor-arg value="MD5"/>
|
|
|
* </bean>
|
|
|
* </pre>
|
|
|
- * </p>
|
|
|
+ * <p>
|
|
|
+ * If desired, the {@link #setIterations iterations} property can be set to enable
|
|
|
+ * "<a href="http://en.wikipedia.org/wiki/Key_strengthening">password stretching</a>" for the digest calculation.
|
|
|
*
|
|
|
* @author Ray Krueger
|
|
|
+ * @author Luke Taylor
|
|
|
* @since 1.0.1
|
|
|
*/
|
|
|
public class MessageDigestPasswordEncoder extends BaseDigestPasswordEncoder {
|
|
|
|
|
|
private final String algorithm;
|
|
|
+ private int iterations = 1;
|
|
|
|
|
|
/**
|
|
|
* The digest algorithm to use
|
|
|
@@ -81,6 +86,11 @@ public class MessageDigestPasswordEncoder extends BaseDigestPasswordEncoder {
|
|
|
throw new IllegalStateException("UTF-8 not supported!");
|
|
|
}
|
|
|
|
|
|
+ // "stretch" the encoded value if configured to do so
|
|
|
+ for (int i = 1; i < iterations; i++) {
|
|
|
+ digest = messageDigest.digest(digest);
|
|
|
+ }
|
|
|
+
|
|
|
if (getEncodeHashAsBase64()) {
|
|
|
return new String(Base64.encode(digest));
|
|
|
} else {
|
|
|
@@ -122,4 +132,17 @@ public class MessageDigestPasswordEncoder extends BaseDigestPasswordEncoder {
|
|
|
public String getAlgorithm() {
|
|
|
return algorithm;
|
|
|
}
|
|
|
+
|
|
|
+ /**
|
|
|
+ * Sets the number of iterations for which the calculated hash value should be "stretched". If this is greater
|
|
|
+ * than one, the initial digest is calculated, the digest function will be called repeatedly on the result for
|
|
|
+ * the additional number of iterations.
|
|
|
+ *
|
|
|
+ * @param iterations the number of iterations which will be executed on the hashed password/salt
|
|
|
+ * value. Defaults to 1.
|
|
|
+ */
|
|
|
+ public void setIterations(int iterations) {
|
|
|
+ Assert.isTrue(iterations > 0, "Iterations value must be greater than zero");
|
|
|
+ this.iterations = iterations;
|
|
|
+ }
|
|
|
}
|
Luke Taylor